Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
Security ChecksOCSP Stapling
TLSLow PriorityPro

Free OCSP Checker — Test OCSP Stapling Online

Updated June 2026·SecScanner Team

OCSP (Online Certificate Status Protocol) stapling is a TLS extension that allows your web server to proactively provide certificate revocation status to browsers during the TLS handshake. Instead of requiring clients to contact the Certificate Authority (CA) directly, your server attaches ('staples') a cached, CA-signed OCSP response to the handshake, confirming the certificate has not been revoked.

Why It Matters

Without OCSP stapling, every browser must contact the CA's OCSP responder to verify your certificate hasn't been revoked before completing a secure connection. This creates three problems: latency (an extra network round-trip to the CA's servers adds 50–200ms per connection), privacy (CAs can log which users visit which sites), and reliability (if the CA's OCSP server is slow or unavailable, browsers may delay or skip the check). OCSP stapling solves all three: your server fetches and caches the OCSP response (typically valid for 24–48 hours), then includes it directly in the TLS handshake. Browsers get instant revocation status with no privacy leakage and no dependency on CA server uptime.

How We Check

We verify OCSP stapling by analyzing the TLS handshake response from your server. We check for a valid, non-expired OCSP response attached to the certificate chain, the status_request TLS extension in the ServerHello message, and confirm the stapled response is signed by the issuing CA. We also check that the OCSP response is within its validity window and that your server is configured to automatically refresh it before expiry.

How to Fix

Enable OCSP stapling in your web server configuration:

Nginx — add to your ssl server block: ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s;

Apache — add to your VirtualHost: SSLUseStapling On SSLStaplingCache shmcb:/var/run/ocsp(128000)

After enabling, restart your server and test with: openssl s_client -connect yourdomain.com:443 -status 2>/dev/null | grep -A 10 'OCSP Response'

The output should show 'OCSP Response Status: successful' and 'Cert Status: Good'. Make sure your server has outbound access to the CA's OCSP responder URL (listed in your certificate's AIA extension).

Frequently Asked Questions

What is OCSP stapling?

OCSP stapling is a TLS extension where your web server proactively fetches and 'staples' a Certificate Authority-signed certificate status response to the TLS handshake. Instead of browsers contacting the CA's OCSP server directly, they receive the revocation status immediately from your server — reducing latency by 50–200ms per connection.

How do I test OCSP stapling online?

Use SecScanner's free OCSP checker above to instantly check OCSP status online for any domain. Alternatively, run: `openssl s_client -connect yourdomain.com:443 -status 2>/dev/null | grep 'OCSP Response Status'`. If stapling is enabled, you'll see 'OCSP Response Status: successful'.

How do I enable OCSP stapling in Nginx?

Add these lines to your Nginx ssl server block: `ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s;` — then reload Nginx. Your server needs outbound access to the CA's OCSP responder URL listed in the certificate's AIA extension.

How do I enable OCSP stapling in Apache?

Add to your VirtualHost: `SSLUseStapling On` and `SSLStaplingCache shmcb:/var/run/ocsp(128000)` — then restart Apache. The SSLStaplingCache directive must be in the global config, not inside a VirtualHost block.

Why does OCSP checking matter for SSL security?

OCSP checking lets browsers verify a certificate hasn't been revoked before trusting it — essential for SSL security. Without it, a compromised or mis-issued certificate could remain trusted indefinitely. OCSP stapling delivers this check with zero latency overhead: instead of browsers contacting the CA (adding 50–200ms), your server pre-fetches the signed response and includes it directly in the TLS handshake.

Does OCSP stapling affect privacy?

Yes — it improves it. Without stapling, CAs can log which IP addresses request OCSP status for which certificates, effectively tracking which users visit your site. With OCSP stapling, the OCSP request comes from your server (not your visitors), preserving user privacy.

Related Security Checks

TLS

Certificate Expiry

TLS

Certificate Hostname & Chain

Related Tool

SSL Checker

Run all 10 related checks with our free ssl checker

Check Your Website Now

Run a free security scan to check for OCSP Stapling issues and 62+ other security vulnerabilities.

Scan Your Website Free

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.