OCSP Stapling

OCSP stapling is a performance improving technology that allows a server to obtain a digitally signed and timestamped OCSP response from the OCSP responder provided by the CA that issued the server certificate.

During handshake a server may supply such a stapled response to a client, thus client that received the stapled response is released from the need to query CA’s OCSP responder on its own.

OCSP Stapling is supported by default since Windows Server 2008. There is no need to enable it manually anywhere. The thing you should know is that OCSP stapling works ONLY for the primary certificate for the IP address and domain name a certificate is issued for/pointed to.

After a certificate is installed, you need to explicitly tell the server that the certificate you would like to have OCSP stapling configured for, does not require Server Name Indication (SNI):

  1. Open “IIS Manager” and select the website you would like to configure OCSP Stapling for
  2. Click on "Bindings" in the left-side menu

    Hardening_26.jpg

  3. Double-click on the entry that is bound with a certificate

    Hardening_27.jpg

  4. Uncheck the option "Require Server Name Indication"

    Hardening_28.jpg

  5. Click "Ok" and restart IIS

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close