The process of verifying the validity of an SSL/TLS certificate adds noticeable time to the first seconds of opening a site. On every HTTPS connection the browser queries the issuing authority (CA) whether the certificate is actually valid and not revoked. This query is called OCSP (Online Certificate Status Protocol) and on average causes a delay of 100-300 milliseconds. OCSP stapling is an excellent technology that reduces this delay almost to zero. Let us examine it in detail.
What is OCSP and how it works
After receiving the certificate the browser sends a request to the OCSP responder URL specified in the certificate: "is this certificate still valid or has it been revoked?". The CA server returns a response and the browser if the certificate is valid continues the connection. This process is repeated for every browser and every connection, creating an enormous load on the OCSP server and significantly slowing down the user.
OCSP stapling principle
In OCSP stapling not the browser but the server itself obtains the OCSP response from CA in advance and passes it to the browser "stapled" together with the certificate. The server updates and caches this response usually every 1-2 hours. As a result the browser no longer sends a separate OCSP request — all necessary information arrives immediately in the SSL handshake process. This saves 100-300 ms.
Configuring OCSP stapling in Nginx
To configure in Nginx add the following directives in the server block: ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/fullchain.pem; resolver 8.8.8.8 8.8.4.4 valid=300s. Here ssl_trusted_certificate is a file with intermediate and root certificates, resolver is used for DNS queries (Nginx finds the OCSP server address via DNS). After setup check via nginx -t and reload.
Sayt.uz practice
91% of Sayt.uz clients use sites with OCSP stapling enabled. On our servers stapling is enabled by default and no additional setup is required. As a result of stapling, site loading speed accelerates on average by 340 ms. On independent VPS, setup service is 50,000 UZS one-time, monthly monitoring 25,000 UZS. Average SSL handshake time for our clients is 180 ms, industry average is 420 ms.