Online Certificate Status Protocol Stapling (OCSP Stapling)
Definition - What does Online Certificate Status Protocol Stapling (OCSP Stapling) mean?
Online certificate status protocol stapling (OCSP stapling; formally TLS Certificate Status Request extension) is an enhancement to the standard OCSP protocol, which benefits end-users such as Web server administrators, application developers and browser developers for checking digital certificates, or public key certificates, statuses as alternative to OCSP.
Stapling delivers OCSP responses from the server giving the certificate and removes the need of end parties or users to check the responses with the issuing Certificate Authority (CA). Using OCSP stapling allows the holder of a digital certificate to take the responsibility in regards to resource costs in providing OCSP responses, as a replacement for the issuance of the CA.
Techopedia explains Online Certificate Status Protocol Stapling (OCSP Stapling)
When a TLS client (browser) creates an SSL connection, it first checks the legitimacy of the digital certificate that the server has. This checking process is managed by the CA through the use of an OCSP server which the browser queries. The process only provides an acceptable level of security; however, there are still certain issues, such as having to enable a form of communication with the CA, which is not always a possibility depending on the organizational structure. So, in order to prevent it, OCSP stapling enables the TLS server to act like an intermediary and provide an OCSP confirmation of its validity during the connection.
In OCSP stapling, the holder of the certificate verifies with the OCSP server regularly and gets a signed time-stamped OCSP response with every query. So, when a browser connects to a site it includes a Certificate Status Request extension with its handshake message, then the OCSP response is stapled or included with the TLS/SSL response from the server. Stapling the OCSP response adjusts the resource cost in giving an OCSP response from the CA, rather than connecting every client to the OCSP responder every time they want to determine their revocation status of their certificate in predefined intervals.