Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
All Security Checks
TLSLow PriorityPro

OCSP Stapling

OCSP (Online Certificate Status Protocol) stapling is a TLS extension that allows your web server to proactively provide certificate revocation status to browsers during the TLS handshake. Instead of requiring clients to contact the Certificate Authority (CA) directly, your server attaches ('staples') a cached, CA-signed OCSP response to the handshake, confirming the certificate has not been revoked.

Why It Matters

Without OCSP stapling, every browser must contact the CA's OCSP responder to verify your certificate hasn't been revoked before completing a secure connection. This creates three problems: latency (an extra network round-trip to the CA's servers adds 50–200ms per connection), privacy (CAs can log which users visit which sites), and reliability (if the CA's OCSP server is slow or unavailable, browsers may delay or skip the check). OCSP stapling solves all three: your server fetches and caches the OCSP response (typically valid for 24–48 hours), then includes it directly in the TLS handshake. Browsers get instant revocation status with no privacy leakage and no dependency on CA server uptime.

How We Check

We verify OCSP stapling by analyzing the TLS handshake response from your server. We check for a valid, non-expired OCSP response attached to the certificate chain, the status_request TLS extension in the ServerHello message, and confirm the stapled response is signed by the issuing CA. We also check that the OCSP response is within its validity window and that your server is configured to automatically refresh it before expiry.

How to Fix

Enable OCSP stapling in your web server configuration:

Nginx — add to your ssl server block: ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s;

Apache — add to your VirtualHost: SSLUseStapling On SSLStaplingCache shmcb:/var/run/ocsp(128000)

After enabling, restart your server and test with: openssl s_client -connect yourdomain.com:443 -status 2>/dev/null | grep -A 10 'OCSP Response'

The output should show 'OCSP Response Status: successful' and 'Cert Status: Good'. Make sure your server has outbound access to the CA's OCSP responder URL (listed in your certificate's AIA extension).

Related Security Checks

TLS

Certificate Expiry

TLS

Certificate Hostname & Chain

Related Tool

SSL Checker

Run all 10 related checks with our free ssl checker

Check Your Website Now

Run a free security scan to check for OCSP Stapling issues and 58+ other security vulnerabilities.

Scan Your Website Free

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.