What is OCSP Stapling?
OCSP Stapling is a TLS extension that enables the web server to cache Certificate Revocation status information and not placing the onus on the web client to make the request directly with the Certificate Authority (CA). This also has the added benefit of giving a performance boost to a TLS website as a request to a potentially busy CA server does not need to occur.
Configuring OCSP Stapling on Apache HTTP Server (>= 2.3.3)
Assuming that SSL / TLS is already configured on your Apache server, you only need to add two configuration options to your server to enable OCSP Stapling.
If you use the default Apache configuration file in Ubuntu for SSL take a look at.
It will look like this.
<VirtualHost *:443> ServerAdmin webmaster@localhost ServerName example.com DocumentRoot /var/www SSLEngine on SSLCertificateFile /etc/apache2/ssl/example.com/server.crt SSLCertificateKeyFile /etc/apache2/ssl/private/server.key SSLCertificateChainFile /etc/apache2/ssl/server-ca.crt SSLUseStapling on
The only configuration option required inside the <VirtualHost> directives is.
# Enable SSL OCSP Stapling SSLUseStapling on
Next you will need to configure a server cache for the OCSP status information. The best place for this would be in the Apache SSL configuration file.
This file contains all the options that Apache uses for SSL. An additional option SSLStaplingCache, needs to be added to this file as below.
# Set the location of the SSL OCSP Stapling Cache SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
The SSLStaplingCache directive defines the location for the cache and a size value for the OCSP cache.
Now this complete, just test your configuration changes.
If all is good, just reload Apache.
service apache2 reload
It is probably a good idea to test your site to make sure that your SSL configuration is secure. If it is publicly accessible, there is a great site that can fully test your SSL set-up.
The Apache Documentation for SSL including a few more OCSP options is available at