OCSP Stapling
When Online Certificate Status Protocol (OCSP) stapling is enabled, CDN queries and caches the status of online certificates in advance and returns the status to a browser when establishing a TLS connection with the browser. This means that the browser does not need to query the status from certificate authorities (CAs), accelerating the verification.
Working Principles
CAs provide OCSP information for clients to check validity of certificates in real time.
- When OCSP stapling is disabled, each visitor to the website sends a query for OCSP, affecting page loading on browsers. A large number of concurrent requests bring great pressure to CA servers.
- When OCSP stapling is enabled, CDN queries and caches verification results of online certificates in advance. Users do not need to send requests to CAs. They only need to verify the validity of the cached results. This improves the TLS handshake efficiency and reduces the verification time.
Constraints
- An HTTPS certificate has been configured. For details, see Configuring an HTTPS Certificate.
- Disabling the HTTPS certificate will disable OCSP stapling.
- After configuring the HTTPS certificate, wait about 5 minutes for the configuration to complete and then enable OCSP stapling.
Procedure
- Log in to Huawei Cloud console. Choose .
The CDN console is displayed.
- In the navigation pane, choose .
- In the domain list, click the target domain name or click Configure in the Operation column.
- Click the HTTPS Settings tab.
Figure 1 OCSP stapling
By default, OCSP stapling is disabled.
- Switch on OCSP Stapling.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.