Contents
What is Online Certificate Status Protocol (OCSP)?
What is OCSP stapling?
How does OCSP stapling work?
Windows Server: How to enable OCSP Stapling
Apache: How to enable OCSP Stapling
NGINX: How to enable OCSP Stapling
What is Online Certificate Status Protocol (OCSP)?
OCSP is a Hypertext Transfer Protocol (HTTP) used for obtaining the revocation status of an X.509 digital certificate. It was created as an alternative to Certificate Revocation Lists (CRLs).
With OSCP , a relying party is able to submit a certificate status request to an OCSP responder, such as a Certification Authority (CA). This returns an authentic, digitally signed response indicating the certificate status. CRL s, on the other hand, are fully published periodicals that are generated at a defined interval, although they can be published immediately after a certificate revocation. While most OCSP responders get their data from published CRLs, some OCSP responders can receive data directly from the Certification Authority's (CA) certificate status database and consequently provide near real-time status.
In all cases where an OCSP request is made, the integrity of the signed response depends on the the integrity of OCSP responder's signing key. OCSP stapling caches the client response on the server and can be used with Transport Layer Security (TLS) authentication messages between servers and clients.
You can determine whether not OCSP stapling is enabled by running an SSL/TLS Install check . The status will be listed under protocols.
When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.
For this process to work, the web-server certificate must contain a directive to point to the OCSP responder, as per the best practices recommended by the CA/Browser (CA/B) Forum baseline requirements .
See below for more information on how to enable OCSP.
Windows Server: How to enable OCSP
1. Check if OCSP stapling is enabled by:
- For Windows Server 2008 and above: OCSP stapling is enabled by default.
- For Windows Server pre-2008: OCSP stapling is not supported.
- Note that if you have Server Name Indicators (SNI) set in bindings, it will render OCSP stapling disabled.
2. If OCSP stapling is not supported, you must upgrade to Windows Server 2008+.
3. Check the Windows server connection to the OCSP server by opening a browser and running an SSL Install check . The status will be listed under protocols.
If you are unable to connect to the OCSP server, there may be a firewall issue. As per Microsoft :
If the domain controller is behind a firewall, you may have to configure the firewall to explicitly allow outgoing HTTP connections to enable the domain controller to connect to the OCSP responder.
For Apache 2.4.7
1. Confirm your version of Apache is at least version 2.3.3 by entering the command below (please note if you do not have root access you will have to use a "sudo" command):
apache2 -v
httpd -v
2. Check that OCSP is enabled by running an SSL Install check . The status will be listed under protocols next to OCSP Must Staple and Revocation Information .
In the above example, OCSP stapling is not enabled.
3. Before OCSP stapling is enabled, you must ensure the Certificate Chain is properly installed. To confirm that your Certificate Chain is properly installed, return to the SSL Install Check and check beside the Chain Issues field. If the Certificate Chain is properly installed, the indication by this field will be None .
4. Configure your Apache server to use OCSP Stapling by adding the below to your site's VirtualHost SSL configuration.
In the .conf file, add the following
outside
the
<VirtualHost></VirtualHost>
block:
SSLStaplingCahe shmcb: /tmp/stapling_cache(128000)
Next, add the following inside the <VirtualHost></VirtualHost> block:
SSLUseStapling On
For example:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv3 -SSLv2
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/EntrustCA.crt
SSLUseStapling on
</VirtualHost>
5. Verify that OCSP stapling is now enabled by running an SSL Install check . Enabled OCSP stapling will display beside the field OCSP Must Staple as "Yes" .
For Nginx version 1.3.7+
1. Check your version of Nginx. OCSP stapling is supported by versions 1.3.7+. Run the command below to check your version of Nginx:
nginx -v
2. Check if OCSP stapling is enabled by running an SSL Install check . The status will be listed under protocols next to OCSP Must Staple and Revocation Information .
In the above example, OCSP stapling is not enabled.
3. Before OCSP stapling is enabled, you must ensure the Certificate Chain is properly installed. To confirm that your Certificate Chain is properly installed, return to the SSL Install Check and check beside the Chain Issues field. If the Certificate Chain is properly installed, the indication by this field will be None .
4. Configure your Nginx server to enable OCSP Stapling by editing your site's SSL configuration file. Add the following directives inside the "server {}" block:
ssl_stapling on;
ssl_stapling_verify on;
For example:
server
{
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/your_domain_name.key;
ssl_stapling on;
ssl_stapling_verify on;
}
5. Verify that OCSP stapling is now enabled by running an SSL Install check . Enabled OCSP stapling will display beside the field OCSP Must Staple as "Yes" .
If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
Country | Number |
Australia |
0011 - 800-3687-7863
1-800-767-513 |
Austria | 00 - 800-3687-7863 |
Belgium | 00 - 800-3687-7863 |
Denmark | 00 - 800-3687-7863 |
Finland |
990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet) |
France | 00 - 800-3687-7863 |
Germany | 00 - 800-3687-7863 |
Hong Kong |
001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax) |
Ireland | 00 - 800-3687-7863 |
Israel | 014 - 800-3687-7863 |
Italy | 00 - 800-3687-7863 |
Japan |
001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ) 0061 - 800-3687-7863 (IDC) |
Korea |
001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom) |
Malaysia | 00 - 800-3687-7863 |
Netherlands | 00 - 800-3687-7863 |
New Zealand |
00 - 800-3687-7863
0800-4413101 |
Norway | 00 - 800-3687-7863 |
Singapore | 001 - 800-3687-7863 |
Spain | 00 - 800-3687-7863 |
Sweden |
00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2) |
Switzerland | 00 - 800-3687-7863 |
Taiwan | 00 - 800-3687-7863 |
United Kingdom |
00 - 800-3687-7863
0800 121 6078 +44 (0) 118 953 3088 |