diff --git a/wpa_supplicant/README-HS20 b/wpa_supplicant/README-HS20
index c8a00e284..b6f067356 100644
--- a/wpa_supplicant/README-HS20
+++ b/wpa_supplicant/README-HS20
@@ -265,6 +265,11 @@ Credentials can be pre-configured for automatic network selection:
 #	req_conn_capab=17:500
 #	req_conn_capab=50
 #
+# ocsp: Whether to use/require OCSP to check server certificate
+#	0 = do not use OCSP stapling (TLS certificate status extension)
+#	1 = try to use OCSP stapling, but not require response
+#	2 = require valid OCSP stapling response
+#
 # for example:
 #
 #cred={
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 9394a9c11..da9580e94 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2556,6 +2556,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
 	if (os_strcmp(var, "req_conn_capab") == 0)
 		return wpa_config_set_cred_req_conn_capab(cred, value);
 
+	if (os_strcmp(var, "ocsp") == 0) {
+		cred->ocsp = atoi(value);
+		return 0;
+	}
+
 	val = wpa_config_parse_string(value, &len);
 	if (val == NULL) {
 		wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index a981ca942..de4397060 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -279,6 +279,15 @@ struct wpa_cred {
 	unsigned int num_req_conn_capab;
 	u8 *req_conn_capab_proto;
 	int **req_conn_capab_port;
+
+	/**
+	 * ocsp - Whether to use/require OCSP to check server certificate
+	 *
+	 * 0 = do not use OCSP stapling (TLS certificate status extension)
+	 * 1 = try to use OCSP stapling, but not require response
+	 * 2 = require valid OCSP stapling response
+	 */
+	int ocsp;
 };
 
 
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 436204be4..850a6cf9d 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -828,6 +828,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred)
 	if (cred->max_bss_load)
 		fprintf(f, "\tmax_bss_load=%u\n",
 			cred->max_bss_load);
+
+	if (cred->ocsp)
+		fprintf(f, "\tocsp=%d\n", cred->ocsp);
 }
 
 
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index b5d1b7111..fcfa63970 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -1420,6 +1420,8 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
 				  cred->domain_suffix_match) < 0)
 		return -1;
 
+	ssid->eap.ocsp = cred->ocsp;
+
 	return 0;
 }
 
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 78dbd0939..442b44cbb 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -478,6 +478,11 @@ fast_reauth=1
 #	req_conn_capab=17:500
 #	req_conn_capab=50
 #
+# ocsp: Whether to use/require OCSP to check server certificate
+#	0 = do not use OCSP stapling (TLS certificate status extension)
+#	1 = try to use OCSP stapling, but not require response
+#	2 = require valid OCSP stapling response
+#
 # for example:
 #
 #cred={