Configure OCSP stapling to speed up certificate validation-Edge Security Acceleration(ESA)-阿里云帮助中心

OCSP stapling allows or DCDN to proactively cache online certificate validation results and deliver them to clients. This eliminates the need for clients to directly query a certificate authority (CA) for certificate status, which reduces certificate validation time and improves user access speed.

How it works

A certificate authority (CA) provides the Online Certificate Status Protocol (OCSP), which lets a client check the validity and revocation status of a digital certificate in real time.

Without OCSP stapling, a client queries the CA during every TLS handshake to verify that the certificate has not been revoked. Frequent OCSP queries reduce TLS handshake efficiency and can slow down user access.

After you enable the OCSP Stapling feature, the DCDN server handles OCSP queries. The DCDN server performs infrequent queries and caches the results on the server (default cache duration: 60 minutes). When a client initiates a TLS handshake request, the DCDN server sends the certificate's OCSP information and the certificate to the client, eliminating the need to send a query request to the CA. This greatly improves TLS handshake efficiency and saves certificate validation time.

Important

OCSP stapling is disabled by default.
The default cache duration for an OCSP response is 60 minutes. When the cache expires, OCSP stapling does not apply to the first request. The feature resumes after the server fetches a new OCSP response.
You can enable or disable OCSP stapling for domains that use HTTPS. Removing a domain's HTTPS certificate configuration automatically disables OCSP stapling for that domain.
An OCSP response is digitally signed by the CA and cannot be forged, so it introduces no additional security risks.

Prerequisites

Before you configure OCSP stapling, make sure that the following requirements are met:

An SSL certificate is configured. For more information, see Configure an SSL certificate.
The default cache duration for an OCSP response is 60 minutes. When the cache expires, OCSP stapling does not apply to the first request. The feature resumes after the server fetches a new OCSP response.

Procedure

Log on to the DCDN console.
In the left-side navigation pane, click Domain Names.
On the Domain Names page, find the domain name that you want to manage and click Configure.
In the left-side navigation tree of the domain name, click HTTPS Settings.
In the OCSP Stapling section, turn on OCSP Stapling.