OCSP Stapling – Check Your Certificate Revocation

OCSP Stapling is known as TLS certificate status Request extension used to check the status of certificate revocation of x.509 digital certificate. OCSP is useful for clients who possess limited processing power and memory and even for CAs who have large CRLs (Certificate Revocation Lists). OCSP can provide more appropriate information about the revocation of a certificate than CRL. OCSP can check the certificate issued by CA while CRL only provides the revocation list of serial numbers and therefore, it is possible to detect the usage of fraudulent certificate.

OCSP request made by browser itself takes much time in SSL handshake and creates traffic burden on the CA. To handle large sites that serving multiple users, the CA must build a significant infrastructure to handle all those requests. To overcome this issue, Internet Engineering Task Force’s TLS Working Group defined an extension to the TLS protocol referred to as OCSP stapling. It uses TLS server as a proxy and provides OCSP response for site’s certificate and passes on to clients that asking for the response for TLS handshake. As the response comes directly from the server, there is no need to obtain request information from issuer that can augment site performance.

Cheap SSL

By mitigating privacy concern and burden of the infrastructure demands, it makes faster web page loading. OCSP stapling is at present backed by IIS 7+, Apache 2.4+ (must be manually enabled) and Nginx 1.7.3+. Some facts about OCSP stapling are defined as under.

  • In the latest Netcraft survey, 22% of certificates were processed with OCSP stapling.
  • All these 22% of certificates were using Microsoft window.
  • 94.54% Window server 2008 use OCSP stapling.
  • 1.76% Window server 2012 uses OCSP stapling.
  • Linux and other unknown operating system contribute 1.39 & 1.25% respectively in OCSP stapling usage.

Below table shows browser wise support of OCSP stapling.

Browser/OS Windows Linux Mac OS X IOS Android
Chrome 28

Yes

Yes

No

No

No

Firefox 22

No

No

No

N/A

No

IE 10

Yes

N/A

N/A

N/A

N/A

Safari 6

No

N/A

No

No

N/A

Opera 12

Yes

Yes

Yes

N/A

N/A

Opera 15

Yes

N/A

No

N/A

N/A

Opera Mini

N/A

N/A

N/A

Yes

Yes

Opera Mobile

N/A

N/A

N/A

N/A

No

The main drawback of OCSP stapling is it increases the traffic size per full handshake; however, such size is negligible compare to encrypted data sent over the connection. OCSP stapling only runs for site certificates and never checks the validity of intermediate CA certificates in the certificate chain and clients have to check individually certificate’s validity with CRLs or OCSP responses.

To avoid this limitation, OCSP multiple stapling has come into force that carries OCSP requirement in intermediate CA certificate. Now it is possible to use OCSP stapling for intermediate certificate. Checking intermediate certificate information with OCSP stapling is referred to multi stapling. Some reviewers also raised a question that size of multiple stapling will increase the handshake delay. To mitigate this hurdle, Certificate Authority has to keep their OCSP response small (512 bytes) and try to avoid assigned OCSP signing certificate.

It is necessary to check cancelled certificate as it will be unsafe for website users and organization and hackers can compromise the revoked certificate and may steal user’s data. OCSP stapling is one-step ahead than CRL, as it understands better the situation of revocation certificate.

 

We Assure to Serve

Leading Brands

Leading Brands

ClickSSL is platinum partner of leading CAs & offering broad range of SSL certificate products.

Valued Price

Valued Price

You are at right place to get cheapest SSLs; our prices are up to 79% low as compared to CAs.

100% Refund Policy

100% Refund Policy

If you are not satisfied, our all SSL certificates are backed by 30-day 100% money back guarantee.

24×7 Support

24×7 Support

Our experts are always active to help you, so you will get instant solutions for your queries.