What is Online Certificate Status Protocol Stapling (OCSP Stapling)?
The online logging of the certificate status (OCSP stapling; formally TLS Certificate Status Request extension) is an extension of the standard OCSP protocol, which is used by end users such as web server administrators, application developers and browser developers to check digital certificates or public key certificates is coming, status as an alternative to OCSP.
Stapling provides OCSP responses from the server issuing the certificate and eliminates the need for end parties or users to share responses with the issuer Certification Authority (CA) check. OCSP stapling enables the digital certificate holder to take responsibility for resource costs in providing OCSP responses in place of issuing the CA.
When a TLS client (browser) creates an SSL connection, it first checks the legitimacy of the digital certificate that the server has. This verification process is managed by the CA using an OCSP server that the browser queries.
The process only offers an acceptable level of security; However, there are still some problems, such as the ability to provide some form of communication with the CA, which is not always possible depending on the organizational structure. To prevent this from happening, OCSP stapling allows the TLS server to act as an intermediary and provide OCSP confirmation of its validity during the connection.
With OCSP stapling, the owner of the certificate regularly verifies with the OCSP server and receives a signed, time-stamped OCSP response with every query. When a browser connects to a site, it includes a Certificate Status Request extension with its handshake message.
The OCSP response is then stapled or included in the TLS / SSL response from the server. Stacking the OCSP response adjusts the resource cost by issuing an OCSP response from the CA instead of connecting each client to the OCSP responder every time they want to determine their certificate revocation status at predefined intervals.