Online Certificate Status Protocol (OCSP) stapling allows Dynamic Route for CDN (DCDN) nodes to cache the revocation status of SSL certificates and return the information to clients. Clients do not need to query the revocation status of SSL certificates from certificate authorities (CAs). This reduces the time that is required for the certificate validation process. This topic describes the OCSP stapling feature, the prerequisites for enabling OCSP stapling, and how to enable OCSP stapling.
The OCSP information is provided by CAs. Clients can use OCSP to check the revocation status of SSL certificates.
- By default, OCSP stapling is disabled.
- The default TTL of cached OCSP information is one hour. After the information expires, OCSP stapling does not take effect until the OCSP information is acquired again.
- You can enable or disable OCSP stapling for accelerated domain names that have HTTPS secure acceleration enabled. If you delete the certificate settings, OCSP stapling is disabled.
- The OCSP stapling process does not raise security risks because the OCSP information of digital certificates cannot be forged.
- An SSL certificate is configured. For more information, see Configure an SSL certificate.
- OCSP-specific extension fields are supported by clients. Otherwise, OCSP stapling cannot take effect.
- A medium or high number of queries per second (QPS) is maintained by your workloads. Otherwise, OCSP stapling cannot take effect.
- Log on to the DCDN console.
- In the left-side navigation pane, click Domain Names.
- On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
- In the left-side navigation pane of the domain name, click HTTPS Settings.
- In the OCSP Stapling section, turn on OCSP Stapling.