Online Certificate Status Protocol (OCSP) allows CDN edge nodes to cache the revocation status of SSL certificates and return the information to clients. Clients do not need to query the revocation status of SSL certificates from certificate authorities (CAs). This reduces the time it takes to complete the certificate validation process. This topic describes the OCSP stapling feature, the prerequisites for enabling OCSP stapling, and how to enable OCSP stapling.
The OCSP information is provided by CAs. Clients can use OCSP to check the revocation status of SSL certificates.
- OCSP stapling is disabled by default.
- The default TTL of cached OCSP information is 1 hour. After the information expires, OCSP stapling does not take effect until the OCSP information is acquired again.
- You can enable or disable OCSP stapling for accelerated domain names that have HTTPS secure acceleration enabled. If you delete the certificate settings, OCSP stapling is disabled.
- In addition, the OCSP stapling process does not raise security risks because the OCSP information of digital certificates cannot be forged.
- An SSL certificate is configured. For more information, see Configure an SSL certificate.
- Clients support OCSP-specific extension fields. Otherwise, OCSP stapling cannot take effect.
- Your workloads maintain a medium or high number of queries per second (QPS). Otherwise, OCSP stapling cannot take effect.
- Log on to the Alibaba Cloud CDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
- In the left-side management pane of the domain name, click HTTPS.
- In the OCSP Stapling section, turn on OCSP stapling.