With Online Certificate Status Protocol (OCSP) stapling, Edge Security Acceleration (ESA) caches certificate verification results and sends the results to clients without querying the certificate status from certificate authorities (CAs). This reduces the certificate verification time and accelerates access speed.
What is OCSP stapling
OCSP is a protocol provided by CAs for clients to verify the legitimacy and validity of certificates in real time. Each time a client initiates a request, the client sends an OCSP query to the CA to verify the certificate. Frequent OCSP queries lower the efficiency of the Transport Layer Security (TLS) handshake and reduce access speed.
After you enable OCSP stapling, OCSP queries are completed by ESA. ESA performs low-frequency OCSP queries and caches the query results on points of presence (POPs). By default, the results are cached on POPs for 60 minutes. When the client sends a TLS handshake request, the ESA POPs send the certificate and its OCSP information to the client without querying the certificate status from the CA. This improves the TLS handshake efficiency and reduces the verification time.
Before you begin
Make sure that SSL/TLS is enabled and an edge certificate is configured for your website.
Make sure that your client supports OCSP-specific extension fields. Otherwise, OCSP stapling cannot take effect.
The default time-to-live (TTL) of cached OCSP information is 1 hour. After the information expires, OCSP stapling does not take effect until the OCSP information is obtained again.
If you delete all SSL/TLS certificates, OCSP stapling becomes invalid.
Enable OCSP stapling
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose .
Switch on OCSP Stapling.
