Understanding of OCSP Stapling
Sun and Moon Pagodas, Shanhu Lake, Guilin, China What's OCSP Stapling? OCSP stapling, also known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses, instead of the issuing Certificate Authority (CA). [ WIKI ] With OCSP stapling, it is the responsibility of the web site to get the OCSP response and send OCSP response to clients/browsers in SSL/TLS handshaking. OCSP stapling is defined as TLS Certificate Status Request extension in section 8 of RFC 6066 . The Benefits of OCSP Stapling The performance bottleneck of OCSP server If client checks the certificate status directly from OCSP server, for each client with a given certificate, the OCSP server has to response with a particular certificate status. For high traf...