← Back to Blog
explainer

OCSP Stapling Explained: What It Is and How to Enable It (2026)

Every SSL certificate can be revoked — if a private key is compromised, or a certificate was issued by mistake, the CA can add it to a revocation list. But how does a browser know if a certificate has been revoked before trusting it? That's where OCSP and OCSP Stapling come in.

🔒

Free SSL Checker

Check whether OCSP stapling is enabled — shown in our detailed SSL report.

Try It Free →
Browser
CA OCSP Server
Separate revocation check (adds latency + privacy risk)

With OCSP Stapling (2 parties per visitor)

Your Server
CA OCSP Server
Server fetches and caches OCSP response periodically
Browser
Your Server
Receives cert + stapled OCSP response in one handshake

The OCSP response is signed by the CA, so the browser can verify it's legitimate even though your server delivered it. The CA never learns which visitor accessed your site.

How to Enable OCSP Stapling on Apache

Apache 2.3.3+ supports OCSP Stapling. Add these directives to your HTTPS VirtualHost block:

<VirtualHost *:443> ServerName yourdomain.com # ... existing SSL config ... # OCSP Stapling SSLUseStapling On SSLStaplingCache shmcb:/tmp/ocsp-stapling-cache(128000) </VirtualHost> # This directive must be outside the VirtualHost block (server-wide) SSLStaplingCache shmcb:/tmp/ocsp-stapling-cache(128000)

Reload Apache: sudo systemctl reload apache2

The SSLStaplingCache directive must be at the server level, not inside a VirtualHost block. Put it in your main Apache config (e.g., /etc/apache2/apache2.conf or a dedicated ssl.conf file), not in your site's VirtualHost file.

How to Enable OCSP Stapling on Nginx

Nginx has had OCSP Stapling support since version 1.3.7. Add these lines inside your server block:

server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /etc/ssl/yourdomain.crt; ssl_certificate_key /etc/ssl/yourdomain.key; # Include the full chain (required for OCSP Stapling) ssl_trusted_certificate /etc/ssl/ca-chain.crt; # Enable OCSP Stapling ssl_stapling on; ssl_stapling_verify on; # DNS resolver for OCSP server lookup (use your preferred DNS) resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; }

Reload Nginx: sudo systemctl reload nginx

The ssl_trusted_certificate must point to the CA chain (the intermediate + root), not your server certificate itself. Nginx uses it to verify the OCSP server's response.

Verify OCSP Stapling Is Working

Test from the command line with OpenSSL:

openssl s_client -connect yourdomain.com:443 \ -servername yourdomain.com \ -status 2>&1 | grep -A 10 "OCSP response"

If OCSP Stapling is working, you'll see output like:

OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response ... Cert Status: Good

If you see OCSP response: no response sent, OCSP Stapling is not active yet — it may take a few minutes after a reload for the server to fetch and cache its first OCSP response.

OCSP Must-Staple: Extra Protection

There's a certificate extension called OCSP Must-Staple that tells the browser to require a stapled OCSP response. If the browser connects and doesn't receive one, it refuses the connection. This is the most security-conscious option but also the most demanding — if your server fails to refresh its OCSP staple (e.g., the CA's OCSP server is temporarily unreachable), your site goes down for affected browsers. Most production sites skip Must-Staple and rely on standard stapling.

FAQs

OCSP Stapling on Windows Server (IIS)

Windows Server 2008 R2+ IIS 7.5+

Unlike Apache and Nginx, Windows Server enables OCSP stapling automatically — no configuration required. Any certificate with an OCSP URL in its Authority Information Access (AIA) extension (which all publicly trusted certificates include) will be stapled automatically by Schannel, the Windows TLS stack.

Verify it is working with OpenSSL (install via winget install ShiningLight.OpenSSL):

# Check OCSP stapling is active on your IIS site openssl s_client -connect yourdomain.com:443 -status 2>&1 | Select-String "OCSP" # Expected output when stapling is working: # OCSP response: # OCSP Response Status: successful (0x0) # This Update: Jul 15 00:00:00 2026 GMT # Next Update: Jul 22 00:00:00 2026 GMT

If OCSP stapling is not appearing, you can force-enable it via the registry (usually not necessary):

# Run in elevated PowerShell # Enable OCSP stapling for SNI-based certificates $path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" New-ItemProperty -Path $path -Name "EnableOcspStaplingForSni" -Value 1 -PropertyType DWORD -Force # Restart the HTTP service to apply Restart-Service -Name "W3SVC"
IIS advantage: OCSP stapling on IIS is enabled by default with no config changes. Your main job is to verify it is active using the OpenSSL command above.

macOS (Homebrew Apache / Nginx)

On macOS with Homebrew Apache, OCSP stapling uses the same directives as the Linux Apache section above. Add them to /opt/homebrew/etc/httpd/extra/httpd-ssl.conf. For Homebrew Nginx, add the directives to /opt/homebrew/etc/nginx/nginx.conf. The only difference from Linux is the cache file path:

# Homebrew Apache — in /opt/homebrew/etc/httpd/extra/httpd-ssl.conf SSLUseStapling On SSLStaplingCache "shmcb:/opt/homebrew/var/run/httpd/ssl_stapling(32768)" # Homebrew Nginx — in server { listen 443 ssl; } block ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /opt/homebrew/etc/httpd/ssl/yourdomain.ca-bundle; # Reload brew services restart httpd # Apache brew services restart nginx # Nginx

Check your SSL configuration and OCSP status

Our SSL Checker shows whether OCSP Stapling is active and your certificate chain is complete.