OCSP Stapling Explained: What It Is and How to Enable It (2026)
Every SSL certificate can be revoked — if a private key is compromised, or a certificate was issued by mistake, the CA can add it to a revocation list. But how does a browser know if a certificate has been revoked before trusting it? That's where OCSP and OCSP Stapling come in.
Free SSL Checker
Check whether OCSP stapling is enabled — shown in our detailed SSL report.
Try It Free →With OCSP Stapling (2 parties per visitor)
The OCSP response is signed by the CA, so the browser can verify it's legitimate even though your server delivered it. The CA never learns which visitor accessed your site.
How to Enable OCSP Stapling on Apache
Apache 2.3.3+ supports OCSP Stapling. Add these directives to your HTTPS VirtualHost block:
Reload Apache: sudo systemctl reload apache2
SSLStaplingCache directive must be at the server level, not inside a VirtualHost block. Put it in your main Apache config (e.g., /etc/apache2/apache2.conf or a dedicated ssl.conf file), not in your site's VirtualHost file.
How to Enable OCSP Stapling on Nginx
Nginx has had OCSP Stapling support since version 1.3.7. Add these lines inside your server block:
Reload Nginx: sudo systemctl reload nginx
The ssl_trusted_certificate must point to the CA chain (the intermediate + root), not your server certificate itself. Nginx uses it to verify the OCSP server's response.
Verify OCSP Stapling Is Working
Test from the command line with OpenSSL:
If OCSP Stapling is working, you'll see output like:
If you see OCSP response: no response sent, OCSP Stapling is not active yet — it may take a few minutes after a reload for the server to fetch and cache its first OCSP response.
OCSP Must-Staple: Extra Protection
There's a certificate extension called OCSP Must-Staple that tells the browser to require a stapled OCSP response. If the browser connects and doesn't receive one, it refuses the connection. This is the most security-conscious option but also the most demanding — if your server fails to refresh its OCSP staple (e.g., the CA's OCSP server is temporarily unreachable), your site goes down for affected browsers. Most production sites skip Must-Staple and rely on standard stapling.
FAQs
- Do I need to do anything special with Let's Encrypt for OCSP Stapling?
No special configuration needed at the CA level. Let's Encrypt certificates include the OCSP URL in the certificate itself. Your server just needs to have OCSP Stapling enabled and be able to reach Let's Encrypt's OCSP server over the internet. - Does Cloudflare handle OCSP Stapling for me?
Yes. If your site sits behind Cloudflare, Cloudflare handles OCSP Stapling automatically for the certificate it presents to visitors at the edge. You should still enable it on your origin for any direct connections, but most users will benefit from Cloudflare's handling automatically. - How long is the OCSP response cached?
The OCSP response includes a "Next Update" timestamp from the CA — typically 24–96 hours. Your server will automatically fetch a fresh response before the cached one expires. Nginx and Apache both handle this renewal automatically.
OCSP Stapling on Windows Server (IIS)
Unlike Apache and Nginx, Windows Server enables OCSP stapling automatically — no configuration required. Any certificate with an OCSP URL in its Authority Information Access (AIA) extension (which all publicly trusted certificates include) will be stapled automatically by Schannel, the Windows TLS stack.
Verify it is working with OpenSSL (install via winget install ShiningLight.OpenSSL):
If OCSP stapling is not appearing, you can force-enable it via the registry (usually not necessary):
macOS (Homebrew Apache / Nginx)
On macOS with Homebrew Apache, OCSP stapling uses the same directives as the Linux Apache section above. Add them to /opt/homebrew/etc/httpd/extra/httpd-ssl.conf. For Homebrew Nginx, add the directives to /opt/homebrew/etc/nginx/nginx.conf. The only difference from Linux is the cache file path:
Check your SSL configuration and OCSP status
Our SSL Checker shows whether OCSP Stapling is active and your certificate chain is complete.