OCSP stapling is an alternative approach to the Online Certificate Status Protocol
(OCSP) that you can use to validate digital certificates. OCSP stapling allows Alibaba
Cloud Dynamic Route for CDN (DCDN) servers to retrieve OCSP details. This reduces
the latency that occurs when clients send requests to validate digital certificates.
OCSP stapling also reduces the time that is required by clients to receive the validation
responses. This topic describes the benefits of OCSP stapling based on the comparison
between the original OCSP and OCSP stapling.
Clients must support OCSP extension fields. Otherwise, the OCSP stapling feature cannot
Note By default, the time to cache OCSP responses is 60 minutes after OCSP stapling is
enabled. When the OCSP stapling cache expires, the first request is processed without
using OCSP stapling.
OCSP details are provided by the certificate authority (CA) that issues the digital
certificates. The OCSP details allow you to check the digital certificates online
in real time to determine whether they are valid.
Issues: Clients such as web browsers send OCSP requests to the OCSP responders that
are provided by the CA to validate server certificates. If network connections are
intermittent or interrupted, clients must wait patiently for validation responses.
During this period, web browsers show blank web pages and users cannot perform subsequent
operations on the web pages.
Solution: Alibaba Cloud DCDN provides the OCSP stapling feature. After this feature
is enabled, Alibaba Cloud DCDN servers send requests to retrieve OCSP details at a
low frequency, and cache the retrieved OCSP details. When clients initiate Transport
Layer Security (TLS) handshakes, Alibaba Cloud DCDN servers return the OCSP details
and certificate chains to clients. OCSP stapling provides a quick method for the clients
to receive the validation responses. Users do not need to wait for the responses before
they can perform subsequent operations on the web pages. The OCSP stapling process
does not introduce additional security risks. This is because the OCSP responses cannot
- Log on to the DCDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
- The details page of the specified domain name appears. In the left-side navigation
pane, click HTTPS Settings.
- In the OCSP Stapling section, turn on OCSP Stapling.