Updated on 2024-04-25 GMT+08:00

OCSP Stapling

When Online Certificate Status Protocol (OCSP) stapling is enabled, CDN queries and caches the status of online certificates in advance and returns the status to a browser when establishing a TLS connection with the browser. This means that the browser does not need to query the status from certificate authorities (CAs), accelerating the verification.

Working Principles

CAs provide OCSP information for clients to check validity of certificates in real time.

  • When OCSP stapling is disabled, each visitor to the website sends a query for OCSP, affecting page loading on browsers. A large number of concurrent requests bring great pressure to CA servers.
  • When OCSP stapling is enabled, CDN queries and caches verification results of online certificates in advance. Users do not need to send requests to CAs. They only need to verify the validity of the cached results. This improves the TLS handshake efficiency and reduces the verification time.

Constraints

  • An international HTTPS certificate has been configured. For details, see HTTPS Certificates.
    • Disabling the HTTPS certificate will disable OCSP stapling.
    • After configuring the HTTPS certificate, wait about 5 minutes for the configuration to complete and then enable OCSP stapling.
  • OCSP stapling cannot be applied to whole site acceleration or domain names that also require acceleration services outside the Chinese mainland.
  • If you change the certificate type from International to Chinese (SM2), OCSP stapling will become invalid.
  • If you configure two certificates for a domain name, OCSP stapling takes effect only for the international certificate.

Procedure

  1. Log in to Huawei Cloud console. Choose Service List > Content Delivery & Edge Computing > Content Delivery Network.

    The CDN console is displayed.

  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the HTTPS Settings tab.
    Figure 1 OCSP stapling

    By default, OCSP stapling is disabled.

  5. Switch on OCSP Stapling.