OCSP stapling not enabled - how to turn on?

Hi everyone,

I’m evaluating Cloudflare as a replacement for Akamai using the free tier.

I’ve scanned my domain with both the Qualys and Mozilla Observatory tools.

Both tools say OCSP Stapling is not enabled.

I would like to turn on OCSP Stapling to improve performance, a feature which is described in a number of Cloudflare blog articles.

I checked through all the options in the web portal and also viewed several articles in the community forum. Unfortunately there was no indication of how to do this.

How do I turn on OCSP Stapling?


FYI, here is the output of command:

echo QUIT | openssl s_client -connect $domain:443 -servername $domain -tls1_2 -tlsextdebug -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 3E742D1FCF4575047E3FC0A2873E4C43835113C6
    Produced At: Mar 18 05:51:39 2020 GMT
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 2B0413693DF1D33D7E89CBA055CF204F9C158C9D
      Issuer Key Hash: 3E742D1FCF4575047E3FC0A2873E4C43835113C6
      Serial Number: 0119F6AEBB6E20ED71636FB1DE7B33E2
    Cert Status: good
    This Update: Mar 18 05:51:39 2020 GMT
    Next Update: Mar 25 05:06:39 2020 GMT

Ok, that’s weird - now the Qualys and Observatory scanners are saying the OCSP Stapling is enabled!

Not sure what happened but at least it’s working now.

1 Like

Side note for any Cloudflare Developers who might be reading…

Enabling “Must Staple” within the Cloudflare SNI certificate would be a nice performance boost.

I noticed a few people asking for this feature, so hoping it can be switched on soon…

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.