Skip to content

OSCP Stapling on Stratus

All traffic on Mojo Stratus goes through CloudFront which already has OSCP enabled, but you may not see this if you test for it.  AWS Support explains this succintly:

Each server in a CloudFront edge location must submit a separate validation request. When CloudFront receives a lot of HTTPS requests for the same domain, every server in the edge location soon has a response from the CA that it can “staple” to a packet in the SSL handshake; when the viewer is satisfied that the certificate is valid, CloudFront can serve the requested object.

If your distribution doesn’t get much traffic in a CloudFront edge location, new requests are more likely to be directed to a server that hasn’t validated the certificate with the CA yet. In that case, the viewer separately performs the validation step and the CloudFront server serves the object. That CloudFront server also submits a validation request to the CA, so the next time it receives a request that includes the same domain name, it has a validation response from the CA.

With this in mind, you are seeing the OSCP stable value as “Not Enabled” in Digicert test because you are hitting some edge servers that do not yet have the result cached.When the result is not yet cached the viewer’s client has the responsibility of making an OCSP stapling request to check the validity. but the CF server also makes a request so it can cache it for future request. CloudFront by default supports OCSP stapling. No additional configuration is required in order to enable OCSP stapling.The operation to staple the validations are performed per server inside of an edge location of CloudFront.

There are many servers at each edge location which is why some may have the staple cached and some do not; this all depends on the popularity of your site.Hence, to put it in simple words, OCSP “Not Enabled” indicates not that your CloudFront Distribution or the custom SSL Certificate doesn’t have it, but that at the time of check OCSP stabling wasn’t used or in other words the request to the root CA was done to verify rather than getting the verification from ‘cache’.

Since CloudFront is a distributed network it’s not easy to hit the same physical server for a subsequent request in a short period and once every edge location gets multiple requests it will eventually provide the OCSP Response data.For, more details please refer the documentation below:

OCSP Stapling: