[WEBINAR] The New Normal: Dealing with the Reality of an Unsecure World

Online Certificate Status Protocol Stapling (OCSP Stapling)

Definition - What does Online Certificate Status Protocol Stapling (OCSP Stapling) mean?

Online certificate status protocol stapling (OCSP stapling; formally TLS Certificate Status Request extension) is an enhancement to the standard OCSP protocol, which benefits end-users such as Web server administrators, application developers and browser developers for checking digital certificates, or public key certificates, statuses as alternative to OCSP.

Stapling delivers OCSP responses from the server giving the certificate and removes the need of end parties or users to check the responses with the issuing Certificate Authority (CA). Using OCSP stapling allows the holder of a digital certificate to take the responsibility in regards to resource costs in providing OCSP responses, as a replacement for the issuance of the CA.

Techopedia explains Online Certificate Status Protocol Stapling (OCSP Stapling)

When a TLS client (browser) creates an SSL connection, it first checks the legitimacy of the digital certificate that the server has. This checking process is managed by the CA through the use of an OCSP server which the browser queries. The process only provides an acceptable level of security; however, there are still certain issues, such as having to enable a form of communication with the CA, which is not always a possibility depending on the organizational structure. So, in order to prevent it, OCSP stapling enables the TLS server to act like an intermediary and provide an OCSP confirmation of its validity during the connection.

In OCSP stapling, the holder of the certificate verifies with the OCSP server regularly and gets a signed time-stamped OCSP response with every query. So, when a browser connects to a site it includes a Certificate Status Request extension with its handshake message, then the OCSP response is stapled or included with the TLS/SSL response from the server. Stapling the OCSP response adjusts the resource cost in giving an OCSP response from the CA, rather than connecting every client to the OCSP responder every time they want to determine their revocation status of their certificate in predefined intervals.

Techopedia Deals

Connect with us

Techopedia on Linkedin
Techopedia on Linkedin
"Techopedia" on Twitter

Sign up for Techopedia's Free Newsletter!

Email Newsletter

Join thousands of others with our weekly newsletter

Free Whitepaper: The Path to Hybrid Cloud
Free Whitepaper: The Path to Hybrid Cloud:
The Path to Hybrid Cloud: Intelligent Bursting To Amazon Web Services & Microsoft Azure
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.