Setting up OCSP Stapling¶
OCSP stapling speeds up the SSL verification process by attaching a pre-approved certificate to the SSL handshake response. This streamlines the process and removes burdens from the client and SSL certification authorities. For more information on OCSP stapling, see our blog.
This article assumes that you already have the necessary certificate files and an OCSP responder.
Set up a Secure Listener¶
Navigate to WebAdmin console > Configuration > Listeners and add a new listening. Set Secure to Yes
. The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to. Save your changes.
Set up Certificate Files¶
Edit the new listener. Under the SSL tab SSL Private Key & Certificate section, enter the paths and locations for your certificates and key files.
Set the OCSP Values¶
Still in the SSL tab, navigate to the OCSP Stapling section. Set Enable OCSP Stapling to Yes
. Set OCSP Responder to the address of your OCSP responder. The server may be able to find it in your CA certificate, but it's better to add it explicitly. You can check with your certificate authority (CA) for your OCSP responder's address.
Graceful restart to apply your changes.
Did It Work?¶
Look in $SERVER_ROOT/temp/ocspcache/
to see if a file has been created there. If it has, then your OCSP stapling is working. If not, check your error logs to see what went wrong.