Free Tool

Free OCSP Stapling Checker

Check whether a website enables OCSP stapling to speed up TLS handshakes and protect visitor privacy during certificate revocation checks.

Free and instant. No account or signup needed.

What OCSP stapling solves

Every HTTPS certificate has a lifespan, but a certificate authority can pull it back early if the private key leaks or the certificate was issued by mistake. Browsers need a way to learn about that revocation before they trust a site. The Online Certificate Status Protocol, OCSP, is the answer. It lets a browser ask the certificate authority a simple question, is this certificate still good, and get a signed reply.

The classic version of that check has two problems. It is slow, because the browser opens a fresh connection to the authority in the middle of loading a page, and it leaks privacy, because the authority learns which sites a visitor is browsing. Many browsers also fail open, treating an unreachable authority as if the certificate were fine, which weakens the protection it was meant to give.

How stapling makes it faster and more private

OCSP stapling moves the work to the server. The server itself asks the certificate authority for a fresh signed status, caches it, and attaches that staple directly to the TLS handshake. The browser reads the answer it needs from the handshake it was already performing, so there is no second round trip and the certificate authority never sees the visitor at all. The status is still signed by the authority, so the server cannot forge it.

How to enable OCSP stapling

On Nginx, set ssl_stapling on; and ssl_stapling_verify on; inside the server block, then point ssl_trusted_certificate at the full issuer chain so Nginx can verify the staple. On Apache, enable SSLUseStapling on with an SSLStaplingCache defined at the server level, then reload. Once the server is reloaded, run this checker again to confirm a stapled response is being served, and pair it with the SSL/TLS handshake checker for the rest of your TLS configuration.

Frequently asked questions

What is an OCSP stapling checker?

An OCSP stapling checker inspects a website's TLS handshake to see whether the server attaches, or staples, a recent certificate revocation status from the certificate authority. SiteSecurityScore checks this live by scanning the URL you enter and reports whether stapling is enabled.

What is OCSP and certificate revocation?

Online Certificate Status Protocol, or OCSP, is how a browser learns whether a certificate is still valid or has been revoked by the certificate authority. Certificates can be revoked early if a private key is compromised or issued in error, and revocation checking is how a browser avoids trusting a bad certificate.

Why is OCSP stapling faster and more private?

Without stapling the browser makes its own request to the certificate authority, which adds latency and tells the authority which sites a visitor is browsing. With stapling the server fetches the signed status ahead of time and includes it in the handshake, so the browser gets the answer instantly and never contacts the authority.

How do I enable OCSP stapling?

On Nginx set ssl_stapling on, ssl_stapling_verify on, and point ssl_trusted_certificate at the issuer chain. On Apache enable mod_ssl, add SSLUseStapling on with an SSLStaplingCache, and reload the server. After reloading, run this checker again to confirm the staple is being served.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore performs a live TLS handshake, reads whether a stapled OCSP response is present, and reports what it found in seconds. No account or signup is required.

Related tools

SSL/TLS Handshake CheckerSSL Certificate Expiry CheckerSecurity Headers Checker

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan