CRL stands for Certificate Revocation List; it provides the means to check the revocation status of a certificate installed on a website or used to digitally sign a document. CRLs are binary files that contain the serial numbers of revoked certificates and in some cases a revocation reason. Each time a revocation check is performed, the client applications needs the CRL from the Issuing CA. In come cases this may be cached from recent checks, but generally the CRL must be downloaded in full and searched. Over time, the CRLs grow as the number of certificates are revoked and this results in large CRLs and increased latency during the TLS handshake.
OCSP or Online Certificate Status Protocol addresses some of the performance and scalability issues inherent to CRLs. Instead of having to download a full revocation list each time, the OCSP server can be queried like a database for a specific certificate entry. The OCSP response is signed by the CA and contains a status for the certificate.
With OCSP Stapling, the OCSP response for a certificate is pre-fetched by the server and delivered to the client during the TLS handshake. The response is "stapled" within the TLS Handshake. All OCSP responses are digitally signed by a certificate authority and updated at regular intervals. This scenario is more conducive to privacy and performance as there is no need for the client to contact a 3rd party to check revocation status. All the needed information is provided by the server.
OCSP Stapling can be enabled on a range of servers including IIS, Apache, and NGINX. Use the links below for instructions on enabling OCSP Stapling in Apache and NGINX. Use the search bar to find additional articles on OCSP Stapling.