Note
The Online Certificate Status Protocol (OCSP) is an online query protocol used to verify the legality and validity of certificates, provided by the Certificate Authority (CA). Each time a user accesses a website via HTTPS, the browser will use OCSP to verify whether the website's certificate is valid.
Upon enabling OCSP stapling, the task of OCSP querying is undertaken by the EdgeOne server, which can also cache the query results. During a TLS handshake with the client, EdgeOne directly responds with the OCSP information and certificate for client verification, eliminating the need for the client to send a query request to the CA. This significantly enhances the efficiency of the TLS handshake, saves user verification time, and optimizes HTTPS speed.
To enhance website performance and improve the efficiency of certificate status validation during HTTPS handshakes, you can enable OCSP stapling.
OCSP Stapling Disabled | OCSP Stapling Enabled |
 |  |
1. The client initiates a TLS handshake. 2. EdgeOne responds to the TLS handshake (by returning the certificate). 3. The client initiates an OCSP query. 4. The CA returns the result. | 1. The client initiates a TLS handshake. 2. EdgeOne initiates an OCSP query. 3. The CA returns the result, and EdgeOne caches the result. 4. EdgeOne responds to the TLS handshake (by returning the certificate and OCSP information). Because OCSP information is cached on EdgeOne servers, EdgeOne will respond to subsequent query requests without initiating a new OCSP query. |
Scenario 1: Enabling OCSP Stapling for All Domain Names
To enable OCSP stapling for all domain names used to access a site, refer to the following information.
Preparations
You have configured SSL certificates for all domain names used to access the current site as instructed in Certificate Configuration.
Instructions
1. Log in to the EdgeOne console. In the left-hand menu, click on Site List. Within the site list, click on the site you wish to configure to access the site details page.
2. On the site details page, choose Site Acceleration > HTTPS to go to the HTTPS page.
3. On the OCSP stapling configuration card, toggle on the Site-wide setting switch.
Off (default): When a client initiates a TLS handshake, the client must send a certificate verification request to the CA to check the certificate status in real-time.
Enabled: EdgeOne sends a certificate verification request to the CA and caches the query results. When the client initiates an HTTPS request to the EdgeOne node, EdgeOne directly responds with the certificate query results for client verification.
Scenario 2: Enabling OCSP Stapling for Specified Domain Names
To enable OCSP stapling for specified domain names, refer to the following information.
Preparations
You have configured SSL certificates for the specified domain names for which you want to enable OCSP stapling, as instructed in Certificate Configuration.
Instructions
1. Log in to the EdgeOne console. In the left-hand menu, click on Site List. Within the site list, click on the site you wish to configure.
2. On the site details page, click Rule Engine.
3. On the rule engine management page, click Create rule to enter the new rule editing page.
4. On the page that appears, select HOST from Matching type and specify an operator and a value to match the requests of specified domain names.
5. Click on Operation > Selection Box, and from the pop-up operation list, select OCSP Stapling.
6. Click Save and publish to complete the rule configuration.