Skip to main content

Online Certificate Status Protocol (OCSP) Stapling

User-added image

Contents

What is Online Certificate Status Protocol (OCSP)?
What is OCSP stapling?
How does OCSP stapling work?
Windows Server: How to enable OCSP Stapling
Apache: How to enable OCSP Stapling

NGINX: How to enable OCSP Stapling

What is Online Certificate Status Protocol (OCSP)?

OCSP is a Hypertext Transfer Protocol (HTTP) used for obtaining the revocation status of an X.509 digital certificate. It was created as an alternative to Certificate Revocation Lists (CRLs).

User-added image

With OSCP , a relying party is able to submit a certificate status request to an OCSP responder, such as a Certification Authority (CA). This returns an authentic, digitally signed response indicating the certificate status. CRL s, on the other hand, are fully published periodicals that are generated at a defined interval, although they can be published immediately after a certificate revocation. While most OCSP responders get their data from published CRLs, some OCSP responders can receive data directly from the Certification Authority's (CA) certificate status database and consequently provide near real-time status.

What is OCSP stapling?

In all cases where an OCSP request is made, the integrity of the signed response depends on the the integrity of OCSP responder's signing key. OCSP stapling caches the client response on the server and can be used with Transport Layer Security (TLS) authentication messages between servers and clients.

How does OCSP stapling work?

You can determine whether not OCSP stapling is enabled by running an SSL/TLS Install check . The status will be listed under protocols.

When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.

For this process to work, the web-server certificate must contain a directive to point to the OCSP responder, as per the best practices recommended by the CA/Browser (CA/B) Forum baseline requirements .

See below for more information on how to enable OCSP.

Windows Server: How to enable OCSP

1. Check if OCSP stapling is enabled by:

  • For Windows Server 2008 and above: OCSP stapling is enabled by default.
  • For Windows Server pre-2008: OCSP stapling is not supported.
  • Note that if you have Server Name Indicators (SNI) set in bindings, it will render OCSP stapling disabled.

2. If OCSP stapling is not supported, you must upgrade to Windows Server 2008+.

3. Check the Windows server connection to the OCSP server by opening a browser and running an SSL Install check . The status will be listed under protocols.

User-added image

If you are unable to connect to the OCSP server, there may be a firewall issue. As per Microsoft :

If the domain controller is behind a firewall, you may have to configure the firewall to explicitly allow outgoing HTTP connections to enable the domain controller to connect to the OCSP responder.

Apache: How to enable OCSP

For Apache 2.4.7

1. Confirm your version of Apache is at least version 2.3.3 by entering the command below (please note if you do not have root access you will have to use a "sudo" command):

apache2 -v
httpd -v

2. Check that OCSP is enabled by running an SSL Install check . The status will be listed under protocols next to OCSP Must Staple and Revocation Information .

User-added image

In the above example, OCSP stapling is not enabled.

3. Before OCSP stapling is enabled, you must ensure the Certificate Chain is properly installed. To confirm that your Certificate Chain is properly installed, return to the SSL Install Check and check beside the Chain Issues field. If the Certificate Chain is properly installed, the indication by this field will be None .

4. Configure your Apache server to use OCSP Stapling by adding the below to your site's VirtualHost SSL configuration.

In the .conf file, add the following outside the <VirtualHost></VirtualHost> block:

SSLStaplingCahe shmcb: /tmp/stapling_cache(128000)

Next, add the following inside the <VirtualHost></VirtualHost> block:

SSLUseStapling On

For example:

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv3 -SSLv2

SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/EntrustCA.crt

SSLUseStapling on
</VirtualHost>

5. Verify that OCSP stapling is now enabled by running an SSL Install check . Enabled OCSP stapling will display beside the field OCSP Must Staple as "Yes" .

NGINX: How to enable OCSP

For Nginx version 1.3.7+

1. Check your version of Nginx. OCSP stapling is supported by versions 1.3.7+. Run the command below to check your version of Nginx:

nginx -v

2. Check if OCSP stapling is enabled by running an SSL Install check . The status will be listed under protocols next to OCSP Must Staple and Revocation Information .

User-added image

In the above example, OCSP stapling is not enabled.

3. Before OCSP stapling is enabled, you must ensure the Certificate Chain is properly installed. To confirm that your Certificate Chain is properly installed, return to the SSL Install Check and check beside the Chain Issues field. If the Certificate Chain is properly installed, the indication by this field will be None .

4. Configure your Nginx server to enable OCSP Stapling by editing your site's SSL configuration file. Add the following directives inside the "server {}" block:

ssl_stapling on;
ssl_stapling_verify on;

For example:

server
{
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/your_domain_name.key;

ssl_stapling on;
ssl_stapling_verify on;
}

5. Verify that OCSP stapling is now enabled by running an SSL Install check . Enabled OCSP stapling will display beside the field OCSP Must Staple as "Yes" .

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:

Hours of Operation:

Sunday 8:00 PM ET to Friday 8:00 PM ET

North America (toll free): 1-866-267-9297

Outside North America: 1-613-270-2680 (or see the list below)

NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

Country Number
Australia 0011 - 800-3687-7863
1-800-767-513
Austria 00 - 800-3687-7863
Belgium 00 - 800-3687-7863
Denmark 00 - 800-3687-7863
Finland 990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France 00 - 800-3687-7863
Germany 00 - 800-3687-7863
Hong Kong 001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland 00 - 800-3687-7863
Israel 014 - 800-3687-7863
Italy 00 - 800-3687-7863
Japan 001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea 001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia 00 - 800-3687-7863
Netherlands 00 - 800-3687-7863
New Zealand 00 - 800-3687-7863
0800-4413101
Norway 00 - 800-3687-7863
Singapore 001 - 800-3687-7863
Spain 00 - 800-3687-7863
Sweden 00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland 00 - 800-3687-7863
Taiwan 00 - 800-3687-7863
United Kingdom 00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088