Skip to main content
    My-SSL LogoMy-SSL
    Security

    OCSP Stapling Explained: What It Is, How It Works, and How to Enable It

    OCSP stapling caches a CA-signed revocation proof on your server and delivers it at TLS handshake time. Learn how to enable it on Nginx, Apache, and IIS.

    MS
    My-SSL Security Team
    ·
    14 min read
    ·Published June 1, 2026

    Every time a browser opens a secure connection to your site, it needs to verify that your SSL certificate is still valid — not just unexpired, but also not revoked. Revocation is the certificate authority's mechanism for invalidating a certificate before its expiry date: it's used when a private key is compromised, an organization changes its name, or a certificate was mis-issued.

    The classic revocation protocol, OCSP (Online Certificate Status Protocol), works — but it comes with a cost. Every new TLS connection triggers a separate HTTP request from the browser to the CA's OCSP server, adding latency, revealing the user's browsing activity to a third party, and failing silently when the OCSP server is unreachable. OCSP stapling eliminates all three problems by moving the OCSP query from the browser to your web server.

    This guide explains the full picture: how certificate revocation works, what OCSP stapling does differently, what changed in 2025–2026 (including Let's Encrypt dropping OCSP entirely), and how to enable and verify stapling on Nginx, Apache, and IIS.

    2026 note: OCSP stapling applies to commercial CA certificates

    Let's Encrypt discontinued its OCSP responder on August 6, 2025. Certificates issued by Let's Encrypt no longer contain an OCSP URL, so OCSP stapling does not apply to them. This guide is relevant for certificates from commercial CAs — DigiCert, Sectigo, GlobalSign, Comodo — which continue to operate OCSP responders. If you're on a paid commercial certificate, read on.

    What is certificate revocation?

    A CA certificate has two end-of-life conditions: expiry and revocation. Expiry is automatic — the certificate simply stops being trusted after the Not After date. Revocation is deliberate — the CA marks the certificate as invalid before expiry, typically because:

    • The certificate's private key was compromised or stolen
    • The certificate was mis-issued — wrong domain, wrong organization
    • The organization ceased to operate or changed legal identity
    • The subscriber requested revocation (early replacement, key rotation)

    There are two traditional mechanisms for distributing revocation information to clients (our CRL vs OCSP revocation guide compares them in depth and covers the 2025–2026 shift back to CRLs):

    CRL (Certificate Revocation List)

    A signed batch file published periodically by the CA listing all revoked certificate serial numbers. Browsers must download the entire file to check one certificate. CRLs can be megabytes in size for large CAs, making on-demand checking impractical. Most browsers no longer download CRLs directly for every connection.

    OCSP (Online Certificate Status Protocol)

    A real-time protocol (RFC 6960) for querying the status of a single certificate. The browser sends the certificate's serial number to the CA's OCSP responder and receives a signed "good", "revoked", or "unknown" response. Faster than CRL for individual lookups, but adds a network roundtrip to every new connection.

    Chrome takes a different approach entirely: it uses CRLSets — a curated, compressed list of high-priority revocations (compromised CA intermediates, high-profile incidents) distributed through Chrome's component update mechanism. CRLSets cover a small fraction of all revocations but do so without any per-connection network request.

    Plain OCSP and its problems

    Vanilla OCSP — where the browser queries the CA's OCSP responder directly — has three significant drawbacks in practice:

    Added latency on every new connection

    Before the TLS handshake completes, the browser opens an additional HTTP connection to the CA's OCSP server. Depending on the user's location and the CA's infrastructure, this adds 50–300 ms per new connection. Browsers cache OCSP responses (typically for a few hours), so returning visitors don't pay this cost every time — but first-time visitors do.

    Privacy leak to the CA

    When the browser queries the CA's OCSP server, it sends the certificate's serial number along with its IP address. This means the CA — a third party — learns which websites a user is visiting and when. For high-traffic commercial CAs, this creates a detailed browsing log across thousands of sites.

    Soft-fail means revocation is often unenforced

    Because OCSP servers are sometimes unreachable — due to network outages, captive portals, or CA infrastructure issues — browsers implement OCSP in "soft-fail" mode: if the OCSP check fails or times out, the browser proceeds with the connection anyway. This means a well-positioned attacker who can block OCSP traffic may be able to use a revoked certificate without the browser raising an alert.

    What is OCSP stapling?

    OCSP stapling — formally the TLS Certificate Status Request extension, defined in RFC 6066 (Section 8) — shifts the OCSP query from the browser to the web server. Instead of the browser contacting the CA's OCSP responder on every new connection, your web server periodically fetches the OCSP response, caches it, and "staples" it to the TLS handshake it sends to the browser.

    This resolves all three problems with plain OCSP simultaneously:

    • No browser roundtrip — the revocation proof arrives in the same TLS handshake as the certificate itself.
    • Privacy preserved — the CA never sees the browser's IP address; only the server contacts the OCSP responder.
    • Cached server-side — if the CA's OCSP server is temporarily unavailable, the server continues serving its cached response until it expires, rather than leaving clients to soft-fail.

    The stapled OCSP response is signed directly by the CA, so the browser can verify its authenticity without trusting the server. A compromised server cannot forge a valid OCSP response — it would need the CA's private signing key.

    How OCSP stapling works step by step

    Here is the sequence of events when OCSP stapling is enabled on a server:

    1

    Server startup / cache refresh

    When the web server starts (or when the cached OCSP response approaches expiry), it sends an OCSP request to the CA's OCSP responder URL — the same URL embedded in the certificate's Authority Information Access (AIA) extension.

    2

    CA returns a signed OCSP response

    The CA's OCSP responder returns a DER-encoded OCSP response signed with the CA's OCSP signing key. The response includes the certificate's serial number, its status (good/revoked/unknown), a thisUpdate timestamp, and a nextUpdate timestamp indicating when a fresh response should be fetched.

    3

    Server caches the response

    The server stores the signed response in memory (or a shared cache, in the case of Apache's SSLStaplingCache). Nginx and Apache both handle cache refresh automatically, fetching a new response before the current one expires.

    4

    Browser initiates TLS handshake

    The browser connects and includes a "status_request" extension in its TLS ClientHello message, indicating it supports and would like a stapled OCSP response.

    5

    Server attaches the stapled response

    The server includes the cached OCSP response in its CertificateStatus message during the TLS handshake — effectively stapling the revocation proof to the certificate delivery.

    6

    Browser verifies without a network roundtrip

    The browser verifies the stapled OCSP response using the CA's public key (which it already trusts from the certificate chain). No additional network request is needed. The TLS handshake completes.

    The certificate itself does not change. OCSP stapling is a server-configuration feature — you enable it in your web server without reissuing or replacing your SSL certificate.

    OCSP Must-Staple (RFC 7633)

    OCSP stapling is optional — a browser that supports it will use the stapled response if present, but will also accept a certificate without one (the soft-fail problem persists in the absence of stapling). OCSP Must-Staple was designed to close this gap.

    Defined in RFC 7633, OCSP Must-Staple is an X.509v3 certificate extension (OID 1.3.6.1.5.5.7.1.24) that a CA can embed in a certificate at issuance. It instructs clients that a valid stapled OCSP response is mandatory — if the server fails to provide one, the client must reject the connection.

    In theory, this hard-fails revocation checks rather than soft-failing. In practice, Must-Staple has not been widely adopted:

    • Browser enforcement was inconsistent — some browsers ignored the extension
    • Server misconfiguration (forgetting to enable stapling on a Must-Staple cert) immediately breaks all connections to the site, with no bypass option
    • Let's Encrypt removed Must-Staple support in January 2025
    • The industry is moving toward short-lived certificates as the replacement for revocation checking — see the 47-day certificate lifetime roadmap

    Recommendation: Do not request an OCSP Must-Staple certificate unless you have a mature, monitored OCSP stapling configuration and are certain you can maintain uninterrupted stapling. A stapling failure on a Must-Staple certificate takes down your site with no workaround until the certificate is replaced.

    What changed in 2025–2026

    The OCSP ecosystem shifted significantly in 2023–2026. Understanding these changes helps you assess whether OCSP stapling is relevant for your setup.

    CA/Browser Forum Ballot SC-063 (July 2023): OCSP made optional

    Prior to SC-063, the CA/Browser Forum Baseline Requirements mandated that CAs operate OCSP responders for all issued certificates. Ballot SC-063 made OCSP optional — CAs may now omit the OCSP URL from certificates and rely solely on CRLs (or other revocation mechanisms like short-lived certificates). This opened the door for CAs to retire OCSP infrastructure.

    Let's Encrypt ended OCSP on August 6, 2025

    Let's Encrypt announced in July 2024 that it would replace OCSP with CRLs and ultimately move toward short-lived certificates as the primary revocation mechanism. As of August 6, 2025, Let's Encrypt certificates no longer contain an OCSP URL. OCSP stapling configuration on a server serving only Let's Encrypt certificates is now a no-op — there is nothing to staple.

    Short-lived certificates as the long-term replacement

    The industry's direction is clear: as certificate lifetimes shrink — to 199 days now, 100 days by March 2027, and 47 days by March 2029 per CA/Browser Forum Ballot SC-081 — the window during which a revoked certificate could be misused narrows to the point where real-time revocation checking becomes less critical. A compromised 47-day certificate expires before most revocation infrastructure even becomes aware of the incident. Learn more in our guide to the 47-day certificate lifetime changes.

    Commercial CAs continue operating OCSP responders

    Despite Let's Encrypt's exit, major commercial CAs — DigiCert, Sectigo, GlobalSign, Comodo/Certum — continue to operate OCSP responders and include OCSP URLs in certificates. For the foreseeable future, certificates purchased through My-SSL from these CAs will have OCSP endpoints, and OCSP stapling remains a useful configuration.

    When does OCSP stapling still matter?

    Enable OCSP stapling if…

    • Your certificate is from a commercial CA (DigiCert, Sectigo, GlobalSign, Comodo)
    • You want a clean A+ on SSL Labs
    • You care about minimizing TLS handshake latency
    • You want to avoid leaking user visits to the CA's OCSP servers

    Skip OCSP stapling if…

    • Your certificate is from Let's Encrypt (no OCSP URL to staple)
    • You're on a managed hosting platform where you can't control web server config
    • Your server can't reach the CA's OCSP endpoint outbound (airgapped or strict egress firewalls)

    Enable OCSP stapling on Nginx

    Nginx has supported OCSP stapling since version 1.3.7 (released 2012). The feature requires OpenSSL 0.9.8h or later, which is standard on any current Linux distribution. Configuration is done in the server block for the HTTPS virtual host.

    You need the full certificate chain file for ssl_trusted_certificate. This is the same chain (CA bundle) file you use for ssl_certificate, or a separate file containing just the intermediate and root certificates — without your leaf certificate. See our Nginx SSL installation guide for how to assemble the chain file correctly.

    Add the following directives to your HTTPS server block:

    server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate     /etc/ssl/certs/example.com.crt;   # leaf + intermediates
    ssl_certificate_key /etc/ssl/private/example.com.key;

    # OCSP stapling
    ssl_stapling        on;
    ssl_stapling_verify on;

    # Chain file for OCSP verification (intermediates + root, or full chain)
    ssl_trusted_certificate /etc/ssl/certs/chain.pem;

    # Resolver for the server to reach the CA's OCSP endpoint
    # Use a fast public resolver or your own caching resolver
    resolver        8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
}

    Directive reference

    DirectivePurpose
    ssl_stapling onEnables OCSP stapling. Nginx fetches the OCSP response at startup and refreshes before expiry.
    ssl_stapling_verify onVerifies the CA's OCSP response signature. Requires ssl_trusted_certificate to be set.
    ssl_trusted_certificatePath to a PEM file containing the CA chain (intermediates + root) used to verify the OCSP response signature.
    resolverDNS resolver Nginx uses to look up the CA's OCSP hostname. Required when the OCSP URL is a hostname. The valid=300s overrides the TTL for DNS responses.

    After editing the configuration, test and reload:

    nginx -t && systemctl reload nginx

    Nginx fetches the OCSP response on the first TLS connection after reload, not at reload time. The response won't appear immediately — make one HTTPS request to the site first, then verify (see the ).

    Enable OCSP stapling on Apache

    Apache HTTP Server has supported OCSP stapling since version 2.3.3 via mod_ssl. The key difference from Nginx is that the stapling cache must be defined at the global server level (outside any VirtualHost block).

    Step 1: Add the global stapling cache

    In your main Apache configuration file (e.g., /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf), outside any VirtualHost:

    # Global OCSP stapling cache — place OUTSIDE any VirtualHost block
SSLUseStapling On
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

    Step 2: Configure the VirtualHost

    Inside your HTTPS VirtualHost block, add the optional tuning directives:

    <VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/example.com.crt
    SSLCertificateKeyFile   /etc/ssl/private/example.com.key
    SSLCertificateChainFile /etc/ssl/certs/chain.pem

    # Optional: tune OCSP stapling behavior per-vhost
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingFakeTryLater off
</VirtualHost>

    Directive reference

    DirectivePurpose
    SSLUseStapling OnEnables OCSP stapling for all SSL virtual hosts. Must be in global context.
    SSLStaplingCacheShared memory cache for OCSP responses across Apache worker processes. 128 KB is sufficient for most setups.
    SSLStaplingResponderTimeoutSeconds to wait for the CA's OCSP server to respond. Default is 10 s; 5 s is more practical.
    SSLStaplingReturnResponderErrors offSuppresses stapled "error" responses from OCSP. Set to off so that only valid "good" responses are stapled.
    SSLStaplingFakeTryLater offPrevents sending a fake "try later" response when no cached OCSP response is available. Recommended off.

    Test the configuration and restart:

    apachectl configtest && systemctl restart apache2
# or on RHEL/Rocky/AlmaLinux:
apachectl configtest && systemctl restart httpd

    See our Apache SSL installation guide for more on assembling the certificate chain file correctly.

    Enable OCSP stapling on IIS

    Microsoft IIS has supported OCSP stapling since IIS 7 on Windows Server 2008, and it is enabled by default on IIS 8 and later. In most cases there is nothing to configure — Windows handles the OCSP response caching and stapling automatically through the Windows Certificate Services infrastructure (CryptoAPI).

    SNI multi-site exception

    On IIS with SNI (Server Name Indication) enabled for multiple HTTPS sites sharing a single IP and port, OCSP stapling may be disabled by default. To re-enable it, set the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  EnableOcspStaplingForSni = 1  (DWORD)

    After setting the key, restart the HTTP.sys service:

    net stop http /y && net start w3svc

    IIS fetches and caches OCSP responses via the Windows HTTP Services (WinHTTP) stack. The cache is shared across all IIS sites. Unlike Nginx and Apache, there are no per-site OCSP stapling directives to configure — it's either on or off at the Windows platform level.

    Verify OCSP stapling

    1. OpenSSL command-line test

    The most reliable way to verify stapling is with the OpenSSL client. Run:

    echo QUIT | openssl s_client -connect example.com:443 -status 2>/dev/null   | grep -A 10 "OCSP response"

    A successful stapling response includes:

    OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
...
    Cert Status: Good

    If you see OCSP response: no response sent, stapling is not working. On Nginx, make sure you've made at least one HTTPS request to the site since the last reload — Nginx fetches the OCSP response lazily on the first request, not at startup.

    2. SSL Labs test

    The Qualys SSL Labs server test (ssllabs.com/ssltest) reports OCSP stapling status in the "Certificate" section. Look for:

    OCSP stapling   Yes

    3. Browser DevTools

    In Chrome, open DevTools → Security tab → click "View certificate" → look at the certificate details. The "OCSP" field shows whether a stapled response was included. Note that Chrome uses CRLSets rather than live OCSP checks, so it may not display this for all sites.

    Common issues

    Nginx: no response on first request after reload

    Normal behavior. Nginx fetches the OCSP response on the first connection after configuration load. Make one HTTPS request, then re-run the OpenSSL test.

    ssl_stapling_verify fails — certificate verify error

    The ssl_trusted_certificate file is wrong or missing the full chain. Make sure it contains both the intermediate CA certificate and the root CA certificate in PEM format.

    Apache: stapling cache not initialized

    SSLStaplingCache must be defined in the global context (outside all VirtualHost blocks). Check that mod_ssl is loaded and restart Apache after adding the directive.

    OCSP response: no response sent

    The server can't reach the CA's OCSP endpoint. Check outbound firewall rules — the server needs outbound HTTP (port 80) to the OCSP URL listed in the certificate's Authority Information Access extension.

    Complete your TLS security stack

    OCSP stapling is one layer of a well-hardened TLS configuration. Pair it with the following for a comprehensive setup:

    • TLS 1.3 — 1-RTT handshake, mandatory forward secrecy, encrypted certificate exchange.
    • HSTS — force HTTPS on all future connections, including the first request.
    • CAA records — restrict which CAs can issue certificates for your domain.
    • Need a commercial CA certificate with OCSP support? Browse our DV SSL certificates from $3.99/year — all from major CAs that operate OCSP responders.

    Frequently asked questions