OCSP Stapling

OCSP stapling is a performance improving technology that allows a server to obtain a digitally signed and timestamped OCSP response from the OCSP responder provided by the CA that issued the server certificate.

During handshake a server may supply such a stapled response to a client, thus client that received the stapled response is released from the need to query CA’s OCSP responder on its own.

OCSP Stapling is supported by default since Windows Server 2008. There is no need to enable it manually anywhere. The thing you should know is that OCSP stapling works ONLY for the primary certificate for the IP address and domain name a certificate is issued for/pointed to.

After a certificate is installed, you need to explicitly tell the server that the certificate you would like to have OCSP stapling configured for, does not require Server Name Indication (SNI):

  1. Open IIS Manager and select the website you would like to configure OCSP Stapling for.
  2. Click on Bindings in the left-side menu.

    Hardening_26

  3. Double-click on the entry that is bound with a certificate.

    Hardening_27.jpg

  4. Uncheck the option Require Server Name Indication.

    Hardening_28

  5. Click Ok and restart IIS.

Updated
9/23/2019

Viewed
20020 times

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close