picture of tbs certificates
picture of tbs certificates
Our products range

OCSP stapling: How to provide a certificate's validity attestation during the connection?

When a browser (a TLS client) enables a SSL connection, it checks the validity of the server certificate. This validation is ran by the browser that questions an OCSP (Online Certificate Status Protocol) server managed by the certification authority.

This mechanism provides an acceptable security level (even if there are issues linked to the protocol implementation) but has several flaws such as having to enable a communication with the certification authority (not always a possibility in some organization infrastructure).

To prevent it, OCSP stapling mechanism (described in RFC 4366) allows the TLS server to act like a proxy (intermediary) and to supply an OCSP confirmation during the TLS connection.

Deployment on servers and browsers is uneven, but if you do have a compatible server it can improve your users experience.

Servers compatible with OCSP-stapling

Browsers compatible with OCSP-stapling

  • Chrome 12+ under Windows
  • Internet Explorer 9+ under Vista and higher
  • Opera v11+

Test your certificate

On your certificate status page you can consult your certificate status: if it has been revoked for example (by whom and on which date). You'll also see a 'check your certificate' button to know if your certificate has correctly been installed.

CO-piBOT, our testing tool, connects to your HTTPS website, enables a SSL session and analyzes the results.
You can use this tool on other protocols as well (SMTPs, HTTPs, IMAPs, POPs, ...).

 COpiBOT is also freely available on this page.