Using OCSP Stapling

OCSP stapling is an improved approach to OCSP (Online Certificate Status Protocol) for verifying the revocation status of a certificate. Instead of querying the OCSP responder for the revocation status of a server's certificate on the browser, OCSP stapling allows the server to pre-fetch the revocation status of its certificate and deliver it to the browser during the SSL/TLS handshake.

When OCSP stapling is enabled, FortiWeb periodically fetches the revocation status of the specified certificate (the Vserver's certificate) from the OCSP responder and caches the response for a period if the revocation status is contained in the response. This cached response is then delivered with the certificate during the SSL/TLS handshake when a client attempts to establish SSL/TLS connections with the Vserver.

To enable OCSP Stapling

1.  Go to System > Certificates > Remote and select an existing policy or create a new one.

2.  Configure the following settings:

Settings Descriptions

Policy name

CA Certificate

Select the CA certificate of the server certificate to be queried. For details, see Uploading trusted CAs’ certificates.


Specify the URL of the OCSP responder server.


Type a description of the server OCSP stapling. The maximum length is 199 characters.

3.  Save the configuration.

4.  Go to Policy > Server Policy and select an existing policy or create a new one.

5.  Select the certificate that you want to query for in the Certificate field, click Enable OCSP Stapling to enable OCSP Stapling, and select the corresponding OCSP stapling policy in the OCSP Stapling Group. For details, see Configuring a server policy.

Because OCSP Stapling is supported only in Reverse Proxy mode for only the certificates specified in server policies, SSL/TLS connections to the FortiWebWeb UI are not included.