OCSP stapling refresh times

How often does Let's Encrypt update stapling data for the certs it signs? Based on certs I have provisioned from Let's Encrypt, I see that stapling data is updated roughly every 3 days and lasts for 7 days. Is this correct?

1 Like

I think the only "promise" about OCSP timing are the constraints listed in the Certificate Policy, section 4.9.10

  1. OCSP responses MUST have a validity interval greater than or equal to eight hours;
  2. OCSP responses MUST have a validity interval less than or equal to ten days;
  3. For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate.
  4. For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate.

But I think the times you're seeing, of 7-day-signing updated every 3 days, are "typical".

I am really far from being an expert, or even being an informed amateur, on OCSP, though.

Dare I ask, what you're planning on doing with this information? I thought that OCSP responses included information on when to expect a next update.

4 Likes

Thanks for the response! I'm interested in the cadence at which stapling data is created because I work with some software that uses the stapling data, and would like to know how often I should expect to see that stapling data change.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.