Online Certificate Status Protocol (OCSP) allows CDN edge nodes to cache the revocation status of SSL certificates and return the information to clients. Clients do not need to query the revocation status of SSL certificates from certificate authorities (CAs). This reduces the time it takes to complete the certificate validation process. This topic describes the OCSP stapling feature, the prerequisites for enabling OCSP stapling, and how to enable OCSP stapling.
This topic consists of the following sections:
The OCSP information is provided by CAs. Clients can use OCSP to check the revocation status of SSL certificates.
After OCSP stapling is enabled, the query process is performed by CDN edge nodes. Alibaba Cloud CDN sends requests to retrieve OCSP information at a low frequency, and caches the retrieved OCSP information on edge nodes. The default time-to-live (TTL) for cached OCSP information is 60 minutes. When a client sends a TLS handshake request to Alibaba Cloud CDN, Alibaba Cloud CDN returns the certificate and OCSP information to the client. The client can check the revocation status of the certificate without sending queries to the CA. This improves the TLS handshake efficiency and reduces the validation time.
- OCSP stapling is disabled by default.
- The default TTL of cached OCSP information is 1 hour. After the information expires, OCSP stapling does not take effect until the OCSP information is acquired again.
- You can enable or disable OCSP stapling for accelerated domain names that have HTTPS secure acceleration enabled. If you delete the certificate settings, OCSP stapling is disabled.
- In addition, the OCSP stapling process does not raise security risks because the OCSP information of digital certificates cannot be forged.
Make sure that the following prerequisites are met before you configure OCSP stapling:
- An SSL certificate is configured. For more information, see Configure an SSL certificate.
- Clients support OCSP-specific extension fields. Otherwise, OCSP stapling cannot take effect.
- Your workloads maintain a medium or high number of queries per second (QPS). Otherwise, OCSP stapling cannot take effect.
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
- In the left-side navigation pane of the domain name, click HTTPS.
- In the OCSP Stapling section, turn on OCSP stapling.