---
checkId: check.timestamp.ocsp.stapling
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, ocsp, stapling, revocation]
---
# OCSP Stapling Enabled

## What It Checks
Checks whether TSA OCSP stapling is configured and fresh. The check:

- Queries the stapling status provider for all TSA providers.
- Reports which providers have OCSP stapling enabled or disabled.
- Fails if all providers have stapling disabled. Warns if some are disabled.
- Reports degraded if no stapling status data is available.

## Why It Matters
OCSP stapling embeds the OCSP response directly in the TLS handshake or timestamp token, eliminating the need for clients to perform live OCSP lookups. This is critical for air-gapped deployments where live OCSP lookups are impossible, and improves performance for all deployments.

## Common Causes
- OCSP stapling not configured for TSA providers
- Stapling status monitoring not set up
- TSA provider does not support stapling

## How to Fix

### Docker Compose
Enable OCSP stapling in TSA provider configuration:

```yaml
environment:
  Timestamping__OcspStapling__Enabled: "true"
```

### Bare Metal / systemd
Configure OCSP stapling in `appsettings.json` and ensure TSA providers support it.

### Kubernetes / Helm
```yaml
timestamping:
  ocspStapling:
    enabled: true
```

## Verification
```
stella doctor run --check check.timestamp.ocsp.stapling
```

## Related Checks
- `check.timestamp.ocsp.responder` — checks OCSP responder availability
- `check.timestamp.evidence.tst.missing-stapling` — detects timestamps without stapled data
- `check.timestamp.revocation.cache-fresh` — checks revocation cache freshness