I have added tracing and see that the OCSP is revoked. I guess my question is, if the certificate is revoked, should Apache deny access to the website? Because it is still allowing access even though the OCSP server mentions that it's revoked.
Is there anything in the docs that implies OCSP stapling does anything but staple the OCSP response so the client can see it?
Did it get added as an extension in the handshake or not?