OCSP stapling is an alternative approach to the Online Certificate Status Protocol (OCSP) that you can use to validate digital certificates. OCSP stapling allows Alibaba Cloud Dynamic Route for CDN (DCDN) servers to retrieve OCSP details. This reduces the latency that occurs when clients send requests to validate digital certificates. OCSP stapling also reduces the time that is required by clients to receive the validation responses. This topic describes the benefits of OCSP stapling based on the comparison between the original OCSP and OCSP stapling.
Clients must support OCSP extension fields. Otherwise, the OCSP stapling feature cannot be enabled.
Note By default, the time to cache OCSP responses is 60 minutes after OCSP stapling is enabled. When the OCSP stapling cache expires, the first request is processed without using OCSP stapling.
OCSP details are provided by the certificate authority (CA) that issues the digital certificates. The OCSP details allow you to check the digital certificates online in real time to determine whether they are valid.
Issues: Clients such as web browsers send OCSP requests to the OCSP responders that are provided by the CA to validate server certificates. If network connections are intermittent or interrupted, clients must wait patiently for validation responses. During this period, web browsers show blank web pages and users cannot perform subsequent operations on the web pages.
Solution: Alibaba Cloud DCDN provides the OCSP stapling feature. After this feature is enabled, Alibaba Cloud DCDN servers send requests to retrieve OCSP details at a low frequency, and cache the retrieved OCSP details. When clients initiate Transport Layer Security (TLS) handshakes, Alibaba Cloud DCDN servers return the OCSP details and certificate chains to clients. OCSP stapling provides a quick method for the clients to receive the validation responses. Users do not need to wait for the responses before they can perform subsequent operations on the web pages. The OCSP stapling process does not introduce additional security risks. This is because the OCSP responses cannot be forged.
- Log on to the DCDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
- The details page of the specified domain name appears. In the left-side navigation pane, click HTTPS Settings.
- In the OCSP Stapling section, turn on OCSP Stapling.