# developer tools# website monitoring
OCSP Stapling Explained for Website Owners
When a browser connects to your HTTPS site, it needs to verify that your SSL certificate hasn't been revoked. The traditional mechanism for this — OCSP (Online Certificate Status Protocol) — has two significant problems: it's slow and it leaks user privacy.
OCSP stapling solves both problems. Here's what it is and why it matters.
The Problem: OCSP Lookups Are Slow and Privacy-Invasive
Without OCSP stapling, a browser's TLS handshake works like this:
- Browser connects to your server
- Server sends its certificate
- Browser sends a separate request to the CA's OCSP server to check if the certificate is still valid
- CA's OCSP server responds
- TLS handshake completes
Step 3–4 adds latency (a round trip to a third-party server) and tells the CA which sites users are visiting — a privacy concern.
If the CA's OCSP server is slow or unavailable, browsers either wait (adding noticeable latency) or silently accept the certificate without verification (a security compromise). This is called "soft-fail" behaviour.
What OCSP Stapling Does
OCSP stapling moves the OCSP check from the browser to your server. Your server:
- Periodically fetches a signed OCSP response from the CA
- Caches it (valid for hours, typically 24–48 hours)
- Delivers ("staples") it to the browser during the TLS handshake
The browser receives the certificate and a fresh, CA-signed proof of validity in one step — no separate OCSP lookup needed. The privacy problem is also solved: the CA never sees which users are visiting your site.
Enabling OCSP Stapling on Nginx
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Nginx needs the full chain including the root to verify the stapled response
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# DNS resolver for OCSP queries (use a fast, reliable resolver)
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
}
After reloading Nginx, the first connection will trigger an OCSP lookup. The response is cached and subsequent connections will serve the stapled response.
Enabling OCSP Stapling on Apache
<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
SSLCertificateChainFile /etc/ssl/certs/chain.pem
# OCSP stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
</VirtualHost>
# Required in the global config (outside VirtualHost)
SSLStaplingCache shmcb:/run/ocsp(128000)
Verifying OCSP Stapling Is Working
# Connect and request the OCSP staple
echo | openssl s_client -connect yourdomain.com:443 \
-servername yourdomain.com -status 2>/dev/null \
| grep -A 10 "OCSP response"
# What you want to see:
# OCSP Response Status: successful (0x0)
# Cert Status: Good
# This Update: ...
# Next Update: ...
# What a missing staple looks like:
# OCSP Response Data: No OCSP response provided
Note: the staple may not appear on the very first connection after enabling — Nginx/Apache need to fetch it first. Try again after 30 seconds.
OCSP Must-Staple
There's a stricter variant called OCSP Must-Staple, set via a certificate extension that instructs browsers to reject the connection if no valid stapled response is provided. This eliminates soft-fail behaviour entirely.
The risk: if your server fails to serve the OCSP staple (misconfiguration, OCSP server unreachable), browsers refuse the connection — even though the certificate itself is valid.
OCSP Must-Staple is appropriate for high-security environments with reliable operations. For most sites, standard OCSP stapling without Must-Staple is the right balance. The CA/Browser Forum has ongoing discussions about OCSP and stapling requirements.
Let's Encrypt and OCSP Stapling
Let's Encrypt supports OCSP stapling. Certbot-managed certificates work with the Nginx/Apache configurations above.
One caveat: Let's Encrypt's OCSP responses expire every 7 days. Your server needs to fetch a fresh OCSP response before the cached one expires. If your server can't reach Let's Encrypt's OCSP server (firewall, network issue), the stapled response goes stale and browsers may fall back to direct OCSP lookups.
Why OCSP Stapling Matters for Performance
TLS handshake latency directly affects page load time. Eliminating the separate OCSP round-trip (typically 50–200ms) measurably improves connection speed, particularly for first-time visitors whose browser has no cached OCSP response.
SSL Labs rates OCSP stapling as part of your overall TLS configuration score. See how to test TLS configuration before renewing a certificate to run a full audit.
Monitoring SSL Performance
Domain Monitor monitors your SSL certificates and HTTPS response health. Create a free account to track certificate validity and get advance expiry warnings.
Also in This Series
More posts
Wildcard vs SAN vs Single-Domain SSL Certificates: Which Do You Need?
Wildcard, SAN (multi-domain), and single-domain SSL certificates cover different use cases. Here's a clear comparison to help you pick the right type — and avoid paying for coverage you don't need.
Read moreWhy DNS Works in One Location but Fails in Another
DNS resolves correctly from your office but fails for users in other countries or on different ISPs. Here's why geographic DNS inconsistency happens and how to diagnose which layer is causing it.
Read moreRegistrar Lock vs Transfer Lock: What's the Difference?
Registrar lock and transfer lock are often confused — and disabling the wrong one leaves your domain vulnerable. Here's a clear breakdown of what each does and when to use them.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.