OCSP Stapling

OCSP stapling is a performance improving technology that allows a server to obtain a digitally signed and timestamped OCSP response from the OCSP responder provided by the CA that issued the server certificate.

During handshake a server may supply such a stapled response to a client, thus client that received the stapled response is released from the need to query CA’s OCSP responder on its own.

OCSP Stapling is supported by default since Windows Server 2008. There is no need to enable it manually anywhere. The thing you should know is that OCSP stapling works ONLY for the primary certificate for the IP address and domain name a certificate is issued for/pointed to.

After a certificate is installed, you need to explicitly tell the server that the certificate you would like to have OCSP stapling configured for, does not require Server Name Indication (SNI):

  1. Open IIS Manager and select the website you would like to configure OCSP Stapling for.
  2. Click on Bindings in the left-side menu.

    Hardening_26

  3. Double-click on the entry that is bound with a certificate.

    Hardening_27.jpg

  4. Uncheck the option Require Server Name Indication.

    Hardening_28

  5. Click Ok and restart IIS.
Updated
Viewed
22863 times

Need help? We're always here for you.