What is OCSP SSL Stapling? How Does it Work? – Explained

Here’s all you needed to know about OCSP Stapling… in Layman’s terms

We know you’re here to learn what OCSP SSL/TLS Stapling is and how it works, but we often like to begin our articles with questions. Don’t worry, we’re going to cover OCSP stapling in the simplest way we can. Now, let’s come back to the question. Have you ever seen or heard about an SSL certificate authority revoking an SSL certificate? Whether the answer to this question is “yes” or “no,” you need to understand the “why” behind the term “certificate revocation.”

SSL Certificate Revocation: The “What” and “Why”

As far as the meaning is concerned, “certificate revocation” is exactly what it sounds like. It’s a process conducted by the certificate authority to invalidate an issued SSL certificate they issued themselves. Therefore, the certificate is no longer in use and doesn’t protect the information being transmitted between the web server and web browser. As it’s no longer valid, users are notified about the certificate revocation to make them aware of the lack of security.

So, why would a CA revoke a certificate that was issued by it in the first place? Well, there could be two primary reasons behind this. Most often it happens when the person/organization that issued the certificate, submits a revocation request to the CA. And another possible, but less probable, reason is if the CA has mis-issued the certificate. In both the cases, certificate revocation becomes necessary as it leaves a big security hole that could be exploited very easily.

One thing to note here is that just revoking an SSL certificate isn’t enough, it must be communicated to the end user to make them aware of the status so that they make an informed decision. That’s where OCSP stapling comes into play.

OCSP Stapling: The Bridge between the CA and the Browsers

Online Certificate Status Protocol (OCSP) stapling, also known as the TLS Certificate Status Request extension, is an internet standard that allows to check the validity status of X.509 digital certificates. OCSP stapling allows a web server to obtain a digitally signed and time-stamped OCSP response from the OCSP responder operated by the CA that issued the server certificate. The OCSP responder gives a ‘valid’ or ‘revoked’ status to the web browser, communicating to the browser about the validity status of the SSL certificate. If the web browser receives a “revoked” message, then it gives a warning to the users so that they don’t exchange confidential information with that website.

Here’s How OCSP Stapling Works in SSL/TLS Ecosystem

A great thing about the OCSP stapling technology is that rather than becoming a completely different process, it becomes a part of standard SSL/TLS handshake that’s used to authenticate, encrypt and transmit the data between the web browser and web server.

This is how OCSP works:

1.            When both parties (the browser and the server) come in contact, the web server responds by sharing the SSL certificate installed on it.

2.            Upon receiving the SSL certificate details, the browser requests the server to submit the copy of the response given by the OCSP responder.

3.            In response, the web server gives the copy of the OCSP response.

4.            The browser checks this response and displays the website only if the certificate is valid. The browser will give a warning instead if the certificate has been revoked.

Simple, isn’t it?

Advantages of OCSP Stapling

You may or may not be aware that OCSP stapling was introduced as an alternative to a technique called “CRL” (certificate revocation list). In CRL, a certificate authority was supposed to maintain a list of all the certificates it has revoked and the browsers were supposed to visit these lists and know whether the certificate of the web server they’re currently communicating with is valid or not. Just by the sound of it, this  must be such a boring and dull process, right?Well, it is. That’s because every time the browser has to perform a check, it slows down the performance.

OCSP, on the other hand, doesn’t take a toll on the performance as the webserver (not a web browser) is supposed to download a copy of the OCSP response from the OCSP responder. The web browser simply has to download this copy from the webserver. Therefore, there is no direct contact between the web browser and the OCSP responder. This adds a lot of latency to the connection and doesn’t slow down the browsing experience on the user’s end. Another advantage when it comes to OCSP stapling is its ubiquity. Almost all modern-day web browsers support OCSP by default and therefore you don’t need to enable it manually.

Potential Downside of OCSP Stapling

Although OCSP stapling scores 10 out of 10 when it comes to serving its purpose, there is a minor concern about it. If the OCSP responder – for whatever reason – gets down, then the web servers won’t be able to generate the latest copy of OCSP response from the responder. Therefore, the browsers won’t get updated about the revocation and could cause serious security concerns.

How to Verify If Your Server has OCSP Stapling Enabled

OCSP is, without a shadow of a doubt, a great technology that helps users stay away of the websites with revoked SSL certificates. And since all modern-day browsers support it by default, you don’t need to enable it by yourself. But, by any chance, if you think that you have disabled it, you can perform the following steps to be on the safer side:

1. First go to DigiCert SSL checker.
2. Then type in the URL of your website and press the Check button.
3. After a few seconds, the results would be displayed. Click on the Server Configuration tab.
4. Click on Advanced server Configuration tab.
5. Check whether OCSP has been enabled or not.

One thing to note here is that OCSP stapling isn’t enabled by default in servers below Windows 2008. Here’s an easy, step-by-step guide to enable OCSP stapling in Windows servers.