DocsICP FilingConsole
首页 CDN User Guide Domain name management Configure HTTPS Configure OCSP stapling

Configure OCSP stapling

更新时间: 2026-06-09 03:00:18

OCSP stapling allows CDN or to proactively cache online certificate validation results and deliver them to clients. This eliminates the need for clients to directly query a certificate authority (CA) for certificate status, which reduces certificate validation time and improves user access speed.

How it works

A certificate authority (CA) provides the Online Certificate Status Protocol (OCSP), which lets a client check the validity and revocation status of a digital certificate in real time.

Without OCSP stapling, a client queries the CA during every TLS handshake to verify that the certificate has not been revoked. Frequent OCSP queries reduce TLS handshake efficiency and can slow down user access.

After you enable the OCSP Stapling feature, the CDN server handles OCSP queries. The CDN server performs infrequent queries and caches the results on the server (default cache duration: 60 minutes). When a client initiates a TLS handshake request, the CDN server sends the certificate's OCSP information and the certificate to the client, eliminating the need to send a query request to the CA. This greatly improves TLS handshake efficiency and saves certificate validation time.

image
Important

  • OCSP stapling is disabled by default.

  • The default cache duration for an OCSP response is 60 minutes. When the cache expires, OCSP stapling does not apply to the first request. The feature resumes after the server fetches a new OCSP response.

  • You can enable or disable OCSP stapling for domains that use HTTPS. Removing a domain's HTTPS certificate configuration automatically disables OCSP stapling for that domain.

  • An OCSP response is digitally signed by the CA and cannot be forged, so it introduces no additional security risks.

Prerequisites

Before you begin, make sure you meet the following requirements:

  • You have configured an HTTPS certificate for your domain name. For more information, see Configure an HTTPS certificate.

  • The client must support the OCSP extension.

Procedure

  1. Log on to the CDN console.

  2. In the left navigation pane, click Domain Names.

  3. On the Domain Names page, find the target domain name and click Manage in the Actions column.

  4. In the domain's navigation pane, click HTTPS.

  5. In the OCSP Stapling section, turn the OCSP stapling on or off.

上一篇: Configure HTTP/2 下一篇: Configure HTTP/S redirection
阿里云首页 CDN 相关技术圈