Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-06-15 10:44:44.0

Online Certificate Status Protocol (OCSP) Stapling

Article Number: 70825

User-added image

Contents
What is Online Certificate Status Protocol (OCSP)?
What is OCSP stapling?
How does OCSP stapling work?
Windows Server: How to enable OCSP Stapling
Apache: How to enable OCSP Stapling

NGINX: How to enable OCSP Stapling


What is Online Certificate Status Protocol (OCSP)?

OCSP is a Hypertext Transfer Protocol (HTTP) used for obtaining the revocation status of an X.509 digital certificate. It was created as an alternative to Certificate Revocation Lists (CRLs).

User-added image

With OSCP, a relying party is able to submit a certificate status request to an OCSP responder, such as a Certification Authority (CA). This returns an authentic, digitally signed response indicating the certificate status. CRLs, on the other hand, are fully published periodicals that are generated at a defined interval, although they can be published immediately after a certificate revocation. While most OCSP responders get their data from published CRLs, some OCSP responders can receive data directly from the Certification Authority's (CA) certificate status database and consequently provide near real-time status.

What is OCSP stapling?

In all cases where an OCSP request is made, the integrity of the signed response depends on the the integrity of OCSP responder's signing key. OCSP stapling caches the client response on the server and can be used with Transport Layer Security (TLS) authentication messages between servers and clients.

How does OCSP stapling work?

You can determine whether not OCSP stapling is enabled by running an SSL/TLS Install check. The status will be listed under protocols.

When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability.

For this process to work, the web-server certificate must contain a directive to point to the OCSP responder, as per the best practices recommended by the CA/Browser (CA/B) Forum baseline requirements.

See below for more information on how to enable OCSP.

Windows Server: How to enable OCSP

1. Check if OCSP stapling is enabled by:
  • For Windows Server 2008 and above: OCSP stapling is enabled by default.
  • For Windows Server pre-2008: OCSP stapling is not supported.
  • Note that if you have Server Name Indicators (SNI) set in bindings, it will render OCSP stapling disabled.
2. If OCSP stapling is not supported, you must upgrade to Windows Server 2008+.

3. Check the Windows server connection to the OCSP server by opening a browser and running an SSL Install check. The status will be listed under protocols.

User-added image

If you are unable to connect to the OCSP server, there may be a firewall issue. As per Microsoft:

If the domain controller is behind a firewall, you may have to configure the firewall to explicitly allow outgoing HTTP connections to enable the domain controller to connect to the OCSP responder.

Apache: How to enable OCSP
For Apache 2.4.7

1. Confirm your version of Apache is at least version 2.3.3 by entering the command below (please note if you do not have root access you will have to use a "sudo" command):
apache2 -v
httpd -v
 

2. Check that OCSP is enabled by running an SSL Install check. The status will be listed under protocols next to OCSP Must Staple and Revocation Information.

User-added image

In the above example, OCSP stapling is not enabled.

3. Before OCSP stapling is enabled, you must ensure the Certificate Chain is properly installed. To confirm that your Certificate Chain is properly installed, return to the SSL Install Check and check beside the Chain Issues field. If the Certificate Chain is properly installed, the indication by this field will be None.

4. Configure your Apache server to use OCSP Stapling by adding the below to your site's VirtualHost SSL configuration.

In the .conf file, add the following outside the <VirtualHost></VirtualHost> block:

SSLStaplingCahe shmcb: /tmp/stapling_cache(128000)

Next, add the following inside the <VirtualHost></VirtualHost> block:

SSLUseStapling On

For example:

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
   SSLEngine on
   SSLProtocol all -SSLv3 -SSLv2

   SSLCertificateFile /path/to/your_domain_name.crt
   SSLCertificateKeyFile /path/to/your_private.key
   SSLCertificateChainFile /path/to/DigiCertCA.crt

   SSLUseStapling on
</VirtualHost


5. Verify that OCSP stapling is now enabled by running an SSL Install check. Enabled OCSP stapling will display beside the field OCSP Must Staple as "Yes".

NGINX: How to enable OCSP
For Nginx version 1.3.7+

1. Check your version of Nginx. OCSP stapling is supported by versions 1.3.7+. Run the command below to check your version of Nginx:

nginx -v

2. Check if OCSP stapling is enabled by running an SSL Install check. The status will be listed under protocols next to OCSP Must Staple and Revocation Information.

User-added image

In the above example, OCSP stapling is not enabled.

3. Before OCSP stapling is enabled, you must ensure the Certificate Chain is properly installed. To confirm that your Certificate Chain is properly installed, return to the SSL Install Check and check beside the Chain Issues field. If the Certificate Chain is properly installed, the indication by this field will be None.

4. Configure your Nginx server to enable OCSP Stapling by editing your site's SSL configuration file. Add the following directives inside the "server {}" block:

ssl_stapling on;
ssl_stapling_verify on;


For example:

server
{
    listen 443 ssl;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_certificate /etc/ssl/bundle.crt;
    ssl_certificate_key /etc/ssl/your_domain_name.key;

    ssl_stapling on;
    ssl_stapling_verify on;
}


5. Verify that OCSP stapling is now enabled by running an SSL Install check. Enabled OCSP stapling will display beside the field OCSP Must Staple as "Yes".


If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
 
CountryNumber
Australia0011 - 800-3687-7863
1-800-767-513
Austria00 - 800-3687-7863
Belgium00 - 800-3687-7863
Denmark00 - 800-3687-7863
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France00 - 800-3687-7863
Germany00 - 800-3687-7863
Hong Kong001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland00 - 800-3687-7863
Israel014 - 800-3687-7863
Italy00 - 800-3687-7863
Japan001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia00 - 800-3687-7863
Netherlands00 - 800-3687-7863
New Zealand00 - 800-3687-7863
0800-4413101
Norway00 - 800-3687-7863
Singapore001 - 800-3687-7863
Spain00 - 800-3687-7863
Sweden00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland00 - 800-3687-7863
Taiwan00 - 800-3687-7863
United Kingdom00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088