I just installed my first Let’s Encrypt certificates and appreciate that it was all free.
Unfortunately, I’m running across a substantial performance bottleneck with initial page load time when using browsers that check for certificate revocation (e.g. IE). All day today at least, I’ve seen IE11 wait 4-6 seconds after issuing OCSP requests to isrg.trustid.ocsp.identrust.com (the root CA) for a response. You can see the results on WebPageTest.org for my website http://www.webpagetest.org/result/160613_08_1CKW/1/details/ .
I enabled OCSP Stapling for my website but that only keeps the browser from querying the Let’s Encrypt CA (ocsp.int-x3.letsencrypt.org). I don’t know if this is possible, but could the Let’s Encrypt CA likewise enable OCSP stapling so that the client wouldn’t have to query the root CA? Eliminating that single request by the browser would be a HUGE improvement in performance.
And just in case the answer is no, I may consider looking for a certificate issued through a chain with a faster root CA. Does anyone know if there is a site that tracks performance of OCSP requests to root CAs so I can compare?