What is OCSP Stapling?
In order to know what OCSP Stapling is, you must first know about OCSP. OCSP or Online Certificate Status Protocol is an internet protocol that checks the validity status of a certificate in real-time. It is an alternative to CRL or Certificate Revocation Lists. It is described in RFC 2560 - http://datatracker.ietf.org/doc/rfc2560/
OCSP is a real-time check of the status of a certificate and is fundamental in the design of Extended Validation SSL certificates.
When a user makes an https:// connection with your web server, their browser normally performs an OCSP check with the CA that issued the SSL certificate to confirm that the certificate has not been revoked. In some cases, this may create a momentary delay in the SSL handshake.
OCSP Stapling improves performance by positioning a digitally-signed and time-stamped version of the OCSP response directly on the webserver. This stapled OCSP response is then refreshed at predefined intervals set by the CA. The stapled OCSP response allows the web server to include the OCSP response within the initial SSL handshake, without the need for the user to make a separate external connection to the CA.
OCSP Stapling is outlined in RFC 6066 - http://datatracker.ietf.org/doc/rfc6066/
Note: When enabling and/or configuring OCSP Stapling on your servers, keep in mind that the OCSP request from your server to the CA must be allowed access through your firewall.
Opera - Version 8.0 and above
Firefox - Enabled by default in version 3.0 and above
Internet Explorer - Enabled by default in version 7.0 and above
Safari - Enabled by default in Mac OS X 10.7 and above
Google Chrome - Enabled by default
Windows Server 2008 - Kerberos client will request OCSP stapling when using PKINIT by default
NSS (Network Security Services) - Included in version 3.15 and above
OpenSSL - Included in version 0.9.8h and above
Information can be found at the end of each certificate installation knowledge base article if OCSP Stapling is supported.