Cisco CloudCenter: Get the Hybrid IT Advantage

Online Certificate Status Protocol Stapling (OCSP Stapling)

Definition - What does Online Certificate Status Protocol Stapling (OCSP Stapling) mean?

Online certificate status protocol stapling (OCSP stapling; formally TLS Certificate Status Request extension) is an enhancement to the standard OCSP protocol, which benefits end-users such as Web server administrators, application developers and browser developers for checking digital certificates, or public key certificates, statuses as alternative to OCSP.

Stapling delivers OCSP responses from the server giving the certificate and removes the need of end parties or users to check the responses with the issuing Certificate Authority (CA). Using OCSP stapling allows the holder of a digital certificate to take the responsibility in regards to resource costs in providing OCSP responses, as a replacement for the issuance of the CA.

Techopedia explains Online Certificate Status Protocol Stapling (OCSP Stapling)

When a TLS client (browser) creates an SSL connection, it first checks the legitimacy of the digital certificate that the server has. This checking process is managed by the CA through the use of an OCSP server which the browser queries. The process only provides an acceptable level of security; however, there are still certain issues, such as having to enable a form of communication with the CA, which is not always a possibility depending on the organizational structure. So, in order to prevent it, OCSP stapling enables the TLS server to act like an intermediary and provide an OCSP confirmation of its validity during the connection.

In OCSP stapling, the holder of the certificate verifies with the OCSP server regularly and gets a signed time-stamped OCSP response with every query. So, when a browser connects to a site it includes a Certificate Status Request extension with its handshake message, then the OCSP response is stapled or included with the TLS/SSL response from the server. Stapling the OCSP response adjusts the resource cost in giving an OCSP response from the CA, rather than connecting every client to the OCSP responder every time they want to determine their revocation status of their certificate in predefined intervals.

Share this:

Connect with us

Email Newsletter

Join thousands of others with our weekly newsletter

The 4th Era of IT Infrastructure: Superconverged Systems
The 4th Era of IT Infrastructure: Superconverged Systems:
Learn the benefits and limitations of the 3 generations of IT infrastructure – siloed, converged and hyperconverged – and discover how the 4th...
Approaches and Benefits of Network Virtualization
Approaches and Benefits of Network Virtualization:
Businesses today aspire to achieve a software-defined datacenter (SDDC) to enhance business agility and reduce operational complexity. However, the...
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.