OCSP Stapling

A TLS extension where the server attaches a fresh OCSP response to the handshake, so clients do not query the CA directly.

OCSP stapling (RFC 6066, TLS Certificate Status Request) lets a server periodically fetch a signed OCSP response from its CA and attach (`staple`) it to every TLS handshake. Clients verify the stapled response instead of contacting the CA themselves, which removes a privacy leak (the CA no longer sees who is visiting the site), eliminates a latency spike on the first connection, and avoids the CA outage problem. Must-Staple (RFC 7633) extends this with a certificate flag telling clients to refuse any handshake without a valid stapled response.

Reference

RFC 6066 §8
RFC 7633 (Must-Staple)

Related terms

OCSP
Certificate Authority
TLS Handshake
Certificate Chain

Back to the full glossary