OCSP stapling is an alternative approach to the Online Certificate Status Protocol (OCSP) that you can use to validate digital certificates. OCSP stapling allows Alibaba Cloud CDN servers to retrieve OCSP details. This reduces the latency that occurs when clients send requests to validate digital certificates. OCSP stapling also reduces the time that is required by clients to receive the validation responses. This topic describes the application scenarios of OCSP stapling. It also provides details about how to enable this feature in the Alibaba Cloud CDN console.

Prerequisites

OCSP extension fields are supported by clients. Otherwise, the OCSP stapling feature fails to take effect.

Background information

OCSP details are provided by the certification authority (CA) that issues the digital certificates. Based on the OCSP details, you can check the digital certificates online in real time to determine whether they are valid.

Issue description: Clients such as web browsers send certificate validation requests to the OCSP responders that are provided by CAs. If network connections are intermittent or interrupted, clients have to wait for the validation responses for a long time. During this period, blank pages appear and your users cannot perform subsequent operations as expected.OCSP
Solution: Alibaba Cloud CDN provides the OCSP stapling feature. If this feature is enabled, Alibaba Cloud CDN servers send requests to retrieve OCSP details at a low frequency, and cache the retrieved OCSP details. When clients initiate Transport Layer Security (TLS) handshakes, Alibaba Cloud CDN servers return the OCSP details and certificate chains to clients. OCSP stapling provides a quick method for the clients to receive the validation responses. This allows your users to perform subsequent operations as expected. Another benefit is that the OCSP stapling process does not introduce additional security risks. This is because the OCSP details of digital certificates cannot be forged.OCSP stapling

Procedure

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the target domain name and click Manage.
  4. In the OCSP Stapling section, turn on the switch.