Apache - Enable OCSP Stapling

Aug 15, 2024

Apache - Enable OCSP Stapling

Prior Reading:

• OCSP Stapling
• Install SSL Certificate - Apache

Enable OCSP Stapling

1. Make sure Apache 2.3.3 or above is installed.
   
   apache2 -v
   
   Note: The above applies to Debian & Ubuntu environments; Red Hat & CentOS users, replace apache2 with httpd.
   
    
2. Edit the virtual host configuration file for your site using the editor of your choice (such as nano or vi):
   
   nano /etc/apache2/sites-available/example.com-ssl.conf
   
    
3. Turn on OCSP stapling with the following entry:
   
   SSLUseStapling on
   
    
4. Set the number of seconds to wait for an OCSP response from the CA & prevent user error messages:
   
   SSLStaplingResponderTimeout 5
   SSLStaplingReturnResponderErrors off
   
    
5. Point to a full trusted certificate chain file. This must contain all certificates: root, intermediate, and server.
   
   SSLCACertificateFile /etc/apache2/ssl/full_chain.pem
   
   
    
6. Specify the OCSP cached response location:
   SSLStaplingCache shmcb:/var/run/ocsp(128000)
   
   Note: This must be placed outside the <VirtualHost> tags or Apache will not start.
   
   Use the example configuration below as a reference:  

   

7. Test your configuration before reloading:
   apachectl -t
    
8. Restart Apache service if OK:
   service apache2 reload
    
9. Verify OCSP Stapling is working by checking your domain with GlobalSign's SSL Checker.