Introduction

OCSP (Online Certificate Status Protocol) stapling allows the web server to fetch and cache the certificate's revocation status from the CA's OCSP responder, then staple this response to the TLS handshake. Without stapling, each client must separately query the OCSP responder, adding latency and creating privacy concerns. When OCSP stapling is misconfigured, browsers may show warnings or connections may fail if the OCSP responder is unreachable.

Symptoms

  • SSL Labs test shows OCSP stapling: No
  • Browser developer tools show OCSP request to external CA server
  • TLS handshake takes 200-500ms longer due to OCSP responder query
  • Connections fail when CA's OCSP responder is down
  • Chrome shows Revocation information not available in certificate details

Common Causes

  • OCSP stapling not enabled in web server configuration
  • ssl_trusted_certificate not set to the full chain (needed for OCSP verification)
  • DNS resolver not configured in Nginx (required for OCSP responder lookup)
  • OCSP responder URL not accessible from the server
  • Certificate does not contain an OCSP responder URL in the AIA extension

Step-by-Step Fix

  1. 1.Check if the certificate supports OCSP stapling:
  2. 2.```bash
  3. 3.openssl x509 -in cert.pem -noout -text | grep -A2 "Authority Information Access"
  4. 4.# Should show: OCSP - URI:http://ocsp.example-ca.com
  5. 5.`
  6. 6.Configure OCSP stapling in Nginx:
  7. 7.```nginx
  8. 8.server {
  9. 9.listen 443 ssl;
  10. 10.ssl_certificate /etc/nginx/ssl/fullchain.pem;
  11. 11.ssl_certificate_key /etc/nginx/ssl/privkey.pem;

# OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;

# DNS resolver (required for OCSP responder lookup) resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; } ```

  1. 1.Configure OCSP stapling in Apache:
  2. 2.```apache
  3. 3.SSLUseStapling on
  4. 4.SSLStaplingResponderTimeout 5
  5. 5.SSLStaplingReturnResponderErrors off
  6. 6.SSLStaplingCache shmcb:/var/run/ocsp(128000)
  7. 7.# In the VirtualHost:
  8. 8.SSLCACertificateFile /etc/apache2/ssl/fullchain.pem
  9. 9.`
  10. 10.Test OCSP stapling:
  11. 11.```bash
  12. 12.# Check if OCSP response is stapled
  13. 13.openssl s_client -connect yoursite.com:443 -status -tlsextdebug </dev/null 2>&1 | \
  14. 14.grep -A 15 "OCSP response"
  15. 15.# Should show: OCSP Response Status: successful
  16. 16.`
  17. 17.Manually query the OCSP responder to verify it is reachable:
  18. 18.```bash
  19. 19.# Get the OCSP responder URL from the certificate
  20. 20.OCSP_URL=$(openssl x509 -in cert.pem -noout -ocsp_uri)
  21. 21.# Query it directly
  22. 22.openssl ocsp -issuer intermediate.pem -cert cert.pem \
  23. 23.-url "$OCSP_URL" -resp_text
  24. 24.`
  25. 25.Verify with SSL Labs after deployment:
  26. 26.Reload the web server and run a new SSL Labs scan. The OCSP stapling field should show Yes.

Prevention

  • Include OCSP stapling configuration in all web server deployment templates
  • Monitor OCSP responder availability as part of certificate health checks
  • Set up alerts when SSL Labs shows OCSP stapling as No
  • Use full chain certificates for ssl_trusted_certificate to enable stapling verification
  • Configure the ssl_stapling_cache (Nginx: ssl_stapling uses shared memory by default)