OCSP Stapling: Why should I enable it for my site?

Since Google first announced that securing a website via a SSL certificate would be considered a ranking signal for SEO, lots of web hosting providers including us here at Conetix started providing free SSL certificates via SSL certificate providers like Let’s Encrypt

By providing a SSL certificate for your website you can now force all traffic for your website to use https:// – HyperText Transport Protocol Secure rather than standard http://.

With this change and focus on securing websites, browser developers like Google (Chrome) and Firefox started displaying secure and insecure site lock natively in their browser. Their goal is to provide a more secure Internet and provide trust from your website to the end user. 

So what is OCSP Stapling?

Online Certificate Status Protocol (OCSP) stapling is the standard for checking the revocation status of a digital certificate that is assigned to a website or web service, in simple terms;  is your website’s SSL certificate valid. 

To understand a little more about OCSP stapling we need to cover two parts; OCSP itself and the extension stapling.

OCSP itself is an independent protocol that allows the web browser to verify the SSL certificate.

Validity. The browser checks the website’s certificate in real time against the Certified Authority (CA) and responds with a good, revoked or unknown. With this verification process each request  or query has to be processed in real time and incurs a resource cost. 

This cost is not only a bandwidth cost, backend server resource cost but also an end user browser cost in terms of slower performance. The busier the website is the more resource cost and in turn the slower the website becomes.

Image showing OSCP prior to adding stapling.

To overcome this resource cost limitation stapling was introduced and as the term suggests, the additional protocol is stapled or added to OCSP to improve this cost and speed up the process between the end users browser and the website. A time-stamped OCSP response is stapled to the request which eliminates the need for the end user browser to contact the CA directly.

Image showing how OCSP speed is increased by adding stapling

Why would you use OCSP stapling?

This simple addition to your website’s SSL certificate improves both security and performance. This in turn provides trust in your website and end user confidence in using your site. Once again it also provides a ranking signal for Google which improves ever so slightly your overall ranking of your domain and website itself.

Increases Trust
Speeds up your website
Improves Google SEO Ranking

How can you take advantage of OCSP Stapling?

The good news is that OCSP stapling has been implemented by all the major web server providers like NGINX,Apache, LiteSpeed and Microsoft Windows Server.

With the major web server providers implementing this protocol, many server management panel providers such as Plesk, have taken advantage of this and have created a simple way to implement and manage quickly without any technical expertise.

Image of Plesk Obsidian - SSLIt showing how to add OCSP Stapling

How can I check if my website is using OCSP stapling?

The simplest way to check is to use online tools like SSL Labs SSL test. 
Simply go to https://ssllabs.com/ssltest and type in your domain name. 

It should show the following on the first page of your report if you are using OCSP Stapling.

SSL Labs SSL test result A+
SSL Labs SSL test showing OCSP result

If you are hosting your website with Conetix or have your own Plesk Virtual Private Server with Conetix, you can add OCSP stapling to your website or sites now. 

If you don’t have this option with your current provider we would love to talk to you and see where we can assist.

More Technical Resources.

If you want to know more about OCSP stapling and how it all works the following are some great articles that you may find useful.

Cloudflare – High-reliability OCSP stapling and why it matters

CA Security Council – The Importance of checking for Certificate Revocation

Back to the Blog

Jamin Andrews

  • Conetix
  • Conetix
  • Conetix

We’ve got your back

With over ten years experience providing solutions for design agencies
in Australia, Conetix delivers premium service and performance.

Let’s talk about Agency Hosting plans

Let's Get Started

  • This field is for validation purposes and should be left unchanged.