OCSP stapling is an alternative to the Online Certificate Status Protocol (OCSP) that you can use to validate digital certificates. OCSP stapling allows Alibaba Cloud CDN servers to retrieve OCSP details. This reduces the latency when clients send requests to validate digital certificates and minimizes the time that it takes for clients to receive the validation responses. This topic describes the use scenarios of OCSP stapling, and how to enable OCSP stapling in the Alibaba Cloud CDN console.

Prerequisites

Clients must support OCSP extension fields. Otherwise, the OCSP stapling feature cannot be enabled.
Note
  • OCSP stapling requires your business to maintain a certain number of queries per second (QPS) to ensure that OCSP stapling can be triggered. OCSP stapling settings may fail to take effect if your business has a low QPS.
  • The default time-to-live (TTL) value of cached OCSP details is 1 hour. After the cache expires, OCSP stapling does not take effect for the first request until the OCSP details are acquired.

Background information

OCSP details are provided by the certificate authority (CA) that issues the digital certificates. Based on the OCSP details, the digital certificates can be validated online based on actual requirements.

Issue: Clients such as web browsers send certificate validation requests to the OCSP responders that are provided by CAs. If network connections are intermittent or interrupted, it takes a long time for the clients to receive the validation responses. During this time, a black page appears and can interrupt subsequent operations on the clients. OCSP
Solution: Alibaba Cloud CDN provides the OCSP stapling feature. Alibaba Cloud CDN servers will query OCSP details. After OCSP stapling is enabled, Alibaba Cloud CDN servers send requests to retrieve OCSP details at a low frequency, and cache the retrieved OCSP details on CDN nodes. The default TTL value for cached OCSP details is 60 minutes. When clients initiate Transport Layer Security (TLS) handshakes, Alibaba Cloud CDN servers return the OCSP details and certificate chains to the clients. OCSP stapling provides a quick method for the clients to receive the validation responses. This ensures that subsequent operations can be performed as expected on the clients. In addition, the OCSP stapling process does not raise security risks because the OCSP details of digital certificates cannot be forged. OCSP Stapling

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column of the domain name.
  4. In the management pane of the domain name, click HTTPS.
  5. In the OCSP Stapling section, turn on OCSP stapling. OCSP Stapling