For safe use of digital certificates, a careful check on the validity of the certificates is very important. This validity check can be made using a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP).
Hoe does OCSP function?
OCSP displays the current status information about the validity of a certificate. Every time the browser of a visitor creates a secure https connection connection with a website, it will check the validity of the certificate by the CA (the certificate issuer). This is a standard and essential part of setting up the SSL connection; depending on the response from the CA, the connection may or may not be established.
What is OCSP stapling?
In this method, the webserver is the intermediary between the client browser and the CA. The webserver where the SSL certificate is installed on, provides the browser the cached OCSP response. This makes it un necessary for the browser of the visitor to make a separate connection to the CA. The OCSP response is digitally signed and time-stamped by the CA. This all makes OCSP stapling a safe and quick method to check the validity.
How do I enable OCSP stapling on my server?
At the moment of writing not all servers and browsers support OCSP stapling. If your server supports OCSP stapling, it is highly recommended to turn this feature on. The visitor won't notice, when using a browser that is compatible for OCSP stapling it will use that, otherwise just regular OCSP.
- Nginx 1.3.7+
- Windows Server 2008
- IIS 7.5 +
- Apache 2.4 +
- Chrome 12+ onder Windows
- Internet Explorer 9+ onder Vista en hoger
- Opera v11+