Apache - Enable OCSP Stapling

Apache - Enable OCSP Stapling

Prior Reading:


Enable OCSP Stapling

  1. Make sure Apache 2.3.3 or above is installed.

    apache2 -v

    Note: The above applies to Debian & Ubuntu environments; Red Hat & CentOS users, replace apache2 with httpd.

     
  2. Edit the virtual host configuration file for your site using the editor of your choice (such as nano or vi):

    nano /etc/apache2/sites-available/example.com-ssl.conf

     
  3. Turn on OCSP stapling with the following entry:

    SSLUseStapling on

     
  4. Set the number of seconds to wait for an OCSP response from the CA & prevent user error messages:

    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off

     
  5. Point to a full trusted certificate chain file. This must contain all certificates: root, intermediate, and server.

    SSLCACertificateFile /etc/apache2/ssl/full_chain.pem


     
  6. Specify the OCSP cached response location:
    SSLStaplingCache shmcb:/var/run/ocsp(128000)

    Note: This must be placed outside the <VirtualHost> tags or Apache will not start.

    Use the example configuration below as a reference:  

    module.PNG

 

  1. Test your configuration before reloading:
    apachectl -t
     
  2. Restart Apache service if OK:
    service apache2 reload
     
  3. Verify OCSP Stapling is working by checking your domain with GlobalSign's SSL Checker.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.