How to Configure OCSP Stapling on Apache HTTP Server

What is OCSP Stapling?

OCSP Stapling is a TLS extension that enables the web server to cache Certificate Revocation status information and not placing the onus on the web client to make the request directly with the Certificate Authority (CA). This also has the added benefit of giving a performance boost to a TLS website as a request to a potentially busy CA server does not need to occur.

Configuring OCSP Stapling on Apache HTTP Server (>= 2.3.3)

Assuming that SSL / TLS is already configured on your Apache server, you only need to add two configuration options to your server to enable OCSP Stapling.

If you use the default Apache configuration file in Ubuntu for SSL take a look at.

/etc/apache2/sites-available/default-ssl.conf

It will look like this.

    <VirtualHost *:443>

            ServerAdmin webmaster@localhost
            ServerName example.com
            DocumentRoot /var/www

            SSLEngine on

            SSLCertificateFile /etc/apache2/ssl/example.com/server.crt
            SSLCertificateKeyFile /etc/apache2/ssl/private/server.key
            SSLCertificateChainFile /etc/apache2/ssl/server-ca.crt
            SSLUseStapling on

The only configuration option required inside the <VirtualHost> directives is.

# Enable SSL OCSP Stapling
SSLUseStapling on

Next you will need to configure a server cache for the OCSP status information. The best place for this would be in the Apache SSL configuration file.

/etc/apache2/mods-available/ssl.conf

This file contains all the options that Apache uses for SSL.  An additional option SSLStaplingCache, needs to be added to this file as below.

# Set the location of the SSL OCSP Stapling Cache
 SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

The SSLStaplingCache directive defines the location for the cache and a size value for the OCSP cache.

Now this complete, just test your configuration changes.

apachectl -t

If all is good, just reload Apache.

service apache2 reload

It is probably a good idea to test your site to make sure that your SSL configuration is secure. If it is publicly accessible, there is a great site that can fully test your SSL set-up.

https://www.ssllabs.com/

The Apache Documentation for SSL including a few more OCSP options is available at

http://httpd.apache.org/docs/trunk/mod/mod_ssl.html
Advertisement

One comment

  1. Pingback: Configuring HSTS & OCSP Stapling | IT Igloo

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s