OCSP stapling is an alternative to the Online Certificate Status Protocol (OCSP) that
you can use to validate digital certificates. OCSP stapling allows Dynamic Route for
CDN (DCDN) servers to retrieve OCSP details. This reduces the latency when clients
send requests to validate digital certificates and minimizes the time that is consumed
by clients to receive the validation responses. This topic describes the benefits
of OCSP stapling based on the comparison between OCSP and OCSP stapling.
Clients must support OCSP extension fields. Otherwise, the OCSP stapling feature cannot
- The queries per second (QPS) metric of your workloads must reach a specific value.
Otherwise, OCSP stapling cannot take effect.
- By default, the time-to-live (TTL) value of an OCSP stapling cache is 1 hour. After
a cache expires, the first request does not take effect until the information about
OCSP stapling is retrieved.
OCSP details are provided by the certificate authority (CA) that issues the digital
certificates. The digital certificates can be validated online.
Issue: Clients such as web browsers send certificate validation requests to the OCSP
responders that are provided by CAs. If network connections are intermittent or interrupted,
it takes a long time for the clients to receive the validation responses. During this
period of time, blank pages appear and disable expected subsequent operations on the
Solution: Enable the OCSP stapling feature provided by DCDN. After OCSP stapling is
enabled, DCDN servers send requests to retrieve OCSP details at a low frequency, and
cache the retrieved OCSP details on DCDN nodes. When clients initiate Transport Layer
Security (TLS) handshakes, DCDN servers return the OCSP details and certificate chains
to the clients. OCSP stapling provides a quick method for the clients to receive the
validation responses. This ensures that subsequent operations can be performed as
expected on the clients. In addition, the OCSP stapling process does not raise security
risks because the OCSP details of digital certificates cannot be forged.
- Log on to the DCDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
- In the left-side navigation pane on the details page of the specified domain name,
click HTTPS Settings.
- In the OCSP Stapling section, turn on OCSP Stapling.