Edge Acceleration
  • Site Acceleration
    • Overview
    • Access Control
      • Token authentication
        • Token Authentication
        • Authentication Method A
        • Authentication Method B
        • Authentication Method C
        • Authentication Method D
        • Authentication Method V
    • Smart Acceleration
    • Cache configuration
      • Overview
      • EdgeOne caching rules introduction
        • Content Cache Rules
        • Cache Key Introduction
        • Vary Feature
      • Cache Configuration
        • Custom Cache Key
        • Node Cache TTL
        • Status Code Cache TTL
        • Browser Cache TTL
        • Offline Caching
        • Cache Prefresh
      • Clear and Preheat Cach
        • Cache Purge
        • URL Pre-Warming
        • Prefetch M3U8
      • How to improve the Cache Hit Rate of EdgeOne
    • File Optimization
      • Content Compression
      • Smart Compression
    • Network Optimization
      • HTTP/2
      • HTTP/3(QUIC)
        • Overview
        • Enable HTTP/3
        • QUIC SDK
          • SDK Overview
          • SDK Download and Integration
          • Sample Code
            • Android
            • iOS
          • API Documentation
            • Android
            • iOS
      • IPv6 Access
      • Maximum Upload Size
      • WebSocket
      • Client IP Geolocation Header
      • Client IP Geographical Location
      • gRPC
      • Network Error Logging
    • URL Rewrite
      • Access URL Redirection
      • Origin-Pull URL Rewrite
    • Modifying Header
      • Modifying HTTP Response Headers
      • Modifying HTTP Request Headers
    • Modify response content
      • HTTP Response
      • Custom Error Page
    • Rules Engine
      • Overview
      • Rule Management
      • variables
      • Supported Matching Types and Actions
    • Image and video processing
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Video Just-In-Time Processing
      • VOD Media Origin
    • Speed limit for single connection download
    • Request and Response Actions
      • HTTP Response
      • Processing order
      • Default HTTP Headers of Origin-Pull Requests
      • Default HTTP Response Headers
      • HTTP Restrictions
    • Media Services
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Just-in-Time Media Processing
      • VOD Media Origin
  • L4 Proxy
    • Overview
    • Creating an L4 Proxy Instance
    • Modifying an L4 Proxy Instance
    • Disabling or Deleting an L4 Proxy Instance
    • Batch Configuring Forwarding Rules
    • Obtaining Real Client IPs
      • Obtaining Real TCP Client IPs via TOA
      • Obtaining Real Client IPs Through Protocol V1/V2
        • Overview
        • Method 1: Obtaining Real Client IPs Through Nginx
        • Method 2: Parsing Real Client IPs on Application Server
        • Format of Real Client IPs Obtained Through Proxy Protocol V1/V2
      • Transmitting Client Real IP via SPP Protocol
  • Domain name service and origin server configuration
    • Domain Name Services
      • Overview
      • DNS resolution for managed domains
        • Modifying DNS Servers
        • Configuring DNS Records
        • Batch Importing DNS Records
        • Advanced DNS Configuration
      • Access accelerated domains
        • Adding A Domain Name for Acceleration
        • Ownership Verification
        • Modifying CNAME Records
        • Verify Business Access
      • Traffic scheduling
        • Traffic Scheduling Management
    • HTTPS Certificate
      • Overview
      • Edge HTTPS Certificate
        • Overview
        • Deploying/Updating SSL Certificate for A Domain Name
        • Configuring A Free Certificate for A Domain Name
        • Using Keyless Certificate
      • Edge mTLS Authentication
      • Origin Certificate Validation
      • HTTPS configuration
        • Forced HTTPS Access
        • Enabling HSTS
        • SSL/TLS security configuration
          • Configuring SSL/TLS Security
          • TLS Versions and Cipher Suites
        • Enabling OCSP Stapling
      • Related References
        • Using OpenSSL to Generate Self-Signed Certificates
        • Certificate Format Requirements
        • The Difference Between one-way authentication and Mutual authentication
    • Origin Configuration
      • Load Balancing
        • Overview
        • Quickly Create Load Balancers
        • Health Check Policies
        • Viewing the Health Status of Origin Server
        • Related References
          • Load Balancing-Related Concepts
          • Introduction to Request Retry Strategy
      • Origin Group Configuration
      • Origin configuration
        • Origin-Pull Timeout
        • Configuring Origin-Pull HTTPS
        • Host Header Rewrite
        • Controlling Origin-pull Requests
        • Redirect Following During Origin-Pull
        • HTTP/2 Origin-Pull
        • Range GETs
        • Modify Origin
        • Origin-pull Rate Limiting Policy
      • Origin Protection(Obtaining/Updating Origin IP Address Range)
      • Related References
        • ld Version Origin Group Compatible Related Issues
Docs Overview/
Edge Acceleration/
Domain name service and origin server configuration/
HTTPS Certificate/
HTTPS configuration/
Enabling OCSP Stapling/

Enabling OCSP Stapling

Overview

Online Certificate Status Protocol (OCSP) is provided by certificate authorities (CAs) to check the authenticity and validity of digital certificates. Whenever a user accesses a website over HTTPS, the browser initiates an OCSP query to verify whether the certificate of the website is still valid.

When OCSP stapling is enabled, EdgeOne performs OCSP queries and caches the results on servers. When a client initiates a TLS handshake with EdgeOne, EdgeOne responds with the OCSP information and certificate required for verification so that the client does not need to send a query request to the CA. This significantly improves the efficiency of the TLS handshake, reduces the time for verification, and improves the HTTPS request speed.

To enhance website performance and improve the efficiency of certificate status validation during HTTPS handshakes, you can enable OCSP stapling.
OCSP Stapling Disabled
OCSP Stapling Enabled




1. The client initiates a TLS handshake.
2. EdgeOne responds to the TLS handshake (by returning the certificate).
3. The client initiates an OCSP query.
4. The CA returns the result.
1. The client initiates a TLS handshake.
2. EdgeOne initiates an OCSP query.
3. The CA returns the result, and EdgeOne caches the result.
4. EdgeOne responds to the TLS handshake (by returning the certificate and OCSP information).
Because OCSP information is cached on EdgeOne servers, EdgeOne will respond to subsequent query requests without initiating a new OCSP query.

Scenario 1: Enabling OCSP Stapling for All Domain Names

To enable OCSP stapling for all domain names used to access a site, refer to the following information.

Prerequisites

You have configured SSL certificates for all domain names used to access the current site as instructed in Certificate Configuration.

Directions

1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Site Acceleration to enter the global site configuration page. Then click HTTPS in the right sidebar.
3. Locate the OCSP stapling configuration card. This protocol is disabled by default. Toggle the switch to enable it.

Off (default): When a client initiates a TLS handshake, the client must send a certificate verification request to the CA to check the certificate status in real-time.
On: EdgeOne sends a certificate verification request to the CA and caches the query results. When a client initiates an HTTPS request to the EdgeOne node, EdgeOne responds to the request by providing the certificate query results.

Scenario 2: Enabling OCSP Stapling for Specified Domain Names

To enable OCSP stapling for specified domain names, refer to the following information.

Prerequisites

You have configured SSL certificates for the specified domain names for which you want to enable OCSP stapling, as instructed in Certificate Configuration.

Directions

1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Site Acceleration to enter the global site configuration page. Then click the Rule Engine tab.
3. On the rule engine management page, click Create rule and select Add blank rule.
4. On the page that appears, select HOST from Matching type and specify an operator and a value to match the requests of specified domain names.
5. From the Action drop-down list, select OCSP stapling, click Switch to enable the configuration.

6. Click Save and publish.