Online Certificate Status Protocol (OCSP) stapling allows Dynamic Route for CDN (DCDN) nodes to cache the revocation status of SSL certificates and return the information to clients. Clients do not need to query the revocation status of SSL certificates from certificate authorities (CAs). This reduces the time that is required for the certificate validation process. This topic describes the OCSP stapling feature, the prerequisites for enabling OCSP stapling, and how to enable OCSP stapling.

This topic consists of the following sections:

Overview

The OCSP information is provided by CAs. Clients can use OCSP to check the revocation status of SSL certificates.

After OCSP stapling is enabled, the query process is performed by DCDN nodes. DCDN sends requests to retrieve OCSP information at a low frequency and caches the retrieved OCSP information on DCDN nodes. The default time-to-live (TTL) for cached OCSP information is 60 minutes. When a client sends a Transport Layer Security (TLS) handshake request to DCDN, DCDN returns the certificate and OCSP information to the client. The client can check the revocation status of the certificate without sending queries to the CA. This improves the TLS handshake efficiency and reduces the validation time. OCSP stapling
Notice
  • By default, OCSP stapling is disabled.
  • The default TTL of cached OCSP information is one hour. After the information expires, OCSP stapling does not take effect until the OCSP information is acquired again.
  • You can enable or disable OCSP stapling for accelerated domain names that have HTTPS secure acceleration enabled. If you delete the certificate settings, OCSP stapling is disabled.
  • The OCSP stapling process does not raise security risks because the OCSP information of digital certificates cannot be forged.

Prerequisites

Make sure that the following prerequisites are met before you configure OCSP stapling:
  • An SSL certificate is configured. For more information, see Configure an SSL certificate.
  • OCSP-specific extension fields are supported by clients. Otherwise, OCSP stapling cannot take effect.
  • A medium or high number of queries per second (QPS) is maintained by your workloads. Otherwise, OCSP stapling cannot take effect.

Procedure

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
  4. In the left-side navigation pane of the domain name, click HTTPS Settings.
  5. In the OCSP Stapling section, turn on OCSP Stapling.
    11