Contact us at |support@ssldragon.com
  • OCSP Stapling

What is OCSP Stapling and How to Use It?

Thursday, August 15th, 2019

SSL certificates can flawlessly secure sensitive data and provide bulletproof encryption to your online customers. Unfortunately, when something goes wrong with a certificate, it leads to big trouble. Browsers flag your website as Not Secure, you lose visitors, and to make things worse, cyber-thieves can use MITIM attacks to steal personal information.

A valid SSL certificate signed by a trusted Certificate Authority is mandatory today for all websites. If your certificate has expired or it has been revoked, browsers will not trust it anymore. Browsers use the Online Certificate Status Protocol (OCSP) to determine the validity of your SSL certificate. However, the original OCSP has a few shortcomings, which OCSP stapling technology successfully overcomes.

OCSP Stapling issues and the need for a solution

When you access an HTTPS website, your browser checks the status of your digital certificate. To confirm your cert is still valid the browser uses OCSP to contact its issuer, i.e., the Certificate Authority. Since the CA is the only entity that holds crucial info about the SSL certificate, it must answer to a large number of OCSP requests in real-time, especially from websites with high traffic. 

Financially, this is a cost-consuming practice for the CA, but the end-users are affected as well since each OCSP request slows down the loading speed. With plain OCSP, browsers have to enquire about the certificate from the webserver and the Certificate Authority. OCSP stapling simplifies the whole process.

How OCSP Stapling Works

OCSP stapling improves the OCSP protocol by letting the webserver instead of the browser query the CA on the status of SSL certificate. When the webserver contacts the SSL vendor, the CA delivers a highly secure digitally time-stamped response. Now, when the webserver connects to a browser, it binds the signed time-stamp with the SSL certificate, making the verification quicker. Instead of reaching to the CA, the browser verifies the server’s time stamp, and since it forms a reliable CA, trusts the Certificate.

OCSP stapling significantly improves the loading time of secure content and guarantees security and privacy of user data. The majority of web browsers and server platforms support OCSP stapling. Below, we’ve provided instructions for enabling OCSP stapling on the ever-popular Windows, Apache and Nginx servers.

Enable OCSP Stapling on Windows

OCSP stapling is enabled by default on Windows Server 2008 and later versions. If you’re running an earlier Windows Server release, OCSP won’t be available. Please, update to Windows 2008 or later.

Enable OCSP Stapling on Apache

Apache supports OCSP stapling starting from Apache HTTPD Server 2.3.3+. If you don’t know which version you’re running, use the following commands: apache2 –v, httpd –v.

Next, check if OCSP is enabled. Follow the steps below:

  1. In OpenSSL, enter the following command:
    openssl.exe s_client -connect [yourdomain.com]:443 –status
    If OCSP is enabled, you’ll receive the following response in the OCSP Response data section: OCSP Response Status: successful (0x0)If OCSP is not enabled, you will not see any OCSP response data. In this case, make sure your intermediate certificate is installed correctly.
  2. Verify if your Apache server has successfully connected to the OCSP server. Run the command below:
    curl ocsp.digicert.com/ping.html
  3. To enable OCSP stapling, you need to edit the virtual host configuration file for your site (your-domain.com-ssl.conf) using the editor of your choice. The configuration file usually resides in the following directory: etc/apache2/sites-available/your-domain.com-ssl.conf
  4. Open the file and make the following changes:
    • Add the following lines inside the <VirtualHost> tags:
      SSLUseStapling on
      SSLStaplingResponderTimeout 5
      SSLStaplingReturnResponderErrors off
    • Add a line inside the tags which points to a trusted certificate chain file. This must contain the intermediate & root certificates in order:
      SSLCACertificateFile /etc/apache2/ssl/full_chain.pem
    • Add the following line outside the <VirtualHost> tags:
      SSLStaplingCache shmcb:/var/run/ocsp(128000)
  5. Test your configuration:
    apachectl –t
  6. Restart the Apache server
    apachectl restart.

Enable OCSP Stapling on NGINX

OCSP stapling is available on NGINX 13,7 or later. Check your NGINX version: nginx-v

  1. Check if OCSP stapling is enabled. In OpenSSL, run the following command:
    openssl s_client -connect [yourdomain.com]:443 –status.
  2. If OCSP is enabled, the OCSP Response Data section should say:
    OCSP Response Status: successful (0x0)
  3. If it is not enabled, you won’t see any OCSP Response Data. If you don’t receive confirmation that OCSP is enabled, use this troubleshooting guide.
  4. To enable OCSP stapling, first edit the server block configuration file for your site (or nginx.conf if server blocks are not used):
    nano /etc/nginx/sites-enabled/my-domain.com-ssl.conf
    or
    nano /etc/nginx/nginx.conf

    Note: If you need to enable OCSP stapling on just one server block, it must be the “default_server”. If you need to enable it on several server blocks, it must be enabled on the ‘default_server’ first. Then it can be enabled on any other server block. 

  5. Turn on OCSP stapling and enable the server to check OCSP by adding two lines inside the server block:
    ssl_stapling on;
    ssl_stapling_verify on;
  6. Indicate a trusted certificate chain file which contains the intermediate & root certificates in order
    ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem
  7. Check your configuration:
    sudo service nginx configtest
  8. Restart NGINX
    sudo service nginx reload