Instructions for Enabling OCSP Stapling on Your Apache Server

For more information about the Online Certificate Status Protocol (OCSP) and the benefits of OCSP stapling, see Enable OCSP Stapling on Your Server.

Apache: How to Enable OCSP Stapling

These instructions were created using Apache 2.4.7. Depending on which version of Apache you are using, you may need to modify these instructions accordingly.

  1. Check your version of Apache

    Apache supports OCSP stapling in Apache HTTPD Server 2.3.3+.

    To see which version of Apache you are running, use one of the following commands:

    • apache2 -v

    • httpd -v

  2. Check if OCSP stapling is enabled.

    1. To see if OCSP stapling is enabled, do one of the following:

      • Check with the ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool

        Go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).

        If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.

        If OCSP stapling is not enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Not Enabled, and you now need to see if the Intermediate Certificate is properly installed.

      • Check using OpenSSL

        Enter the following command:

        openssl.exe s_client -connect [yoursite.com]:443 -status

        If OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:

        OCSP Response Status: successful (0x0)

        If OCSP stapling is not enabled, you will not see any OCSP Response Data, and you now need to see if the Intermediate Certificate is properly installed.

    2. Check that the Intermediate Certificate is properly installed.

      Before you can enable OCSP stapling on your Apache server, the Intermediate Certificate must be properly installed.

      To see if the intermediate certificate is properly installed, go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).

      Under Certificate Name matches¡­, you should see your Server Certificate and the Intermediate Certificate.

    3. If the server is not sending the required intermediate certificate, you will need to configure it in the ¡°³§³§³¢°ä±ð°ù³Ù¾±´Ú¾±³¦²¹³Ù±ð°ä³ó²¹¾±²Ô¹ó¾±±ô±ð¡± line of your SSL configuration. See Apache SSL Certificate Installation or EV SSL Certificate Installation :: Apache.

  3. Verify the Apache server¡¯s connection to the OCSP server.

    Enter the following command:

    curl ocsp.digicert.com/ping.html

    You should receive the ¡°You have successfully reached the ¶ºÒõ¹Ý OCSP Service¡± message.

    If you don¡¯t have curl installed, try using the wget command:

    wget ocsp.digicert.com/ping.html

    If it downloads the page, you are connected. To view the contents of the page, enter the following command:

    cat ping.html

    You should receive the ¡°You have successfully reached the ¶ºÒõ¹Ý OCSP Service¡± message.

  4. Configure your Apache server to use OCSP Stapling.

    Use the following instruction to enable OCSP stapling on your Apache server after verifying that it supports OSCP stapling and can connect to the OCSP server.

    1. Edit your site¡¯s VirtualHost SSL configuration.

      Add the following line INSIDE the <VirtualHost></VirtualHost> block:

      SSLUseStapling on

      Add the following line OUTSIDE the <VirtualHost></VirtualHost> block:

      SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

      For example:

      SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
      <VirtualHost *:443>
      SSLEngine on
      SSLProtocol all -SSLv3 -SSLv2

      SSLCertificateFile /path/to/your_domain_name.crt
      SSLCertificateKeyFile /path/to/your_private.key
      SSLCertificateChainFile /path/to/¶ºÒõ¹ÝCA.crt

      SSLUseStapling on
      </VirtualHost>

    2. Check the configuration for errors with the Apache Control service.

      Apachectl -t

    3. Reload the Apache service.

      service apache2 reload

  5. Verify that OCSP stapling is now enabled.

    To see if OCSP stapling is enabled, do one of the following:

    • Check with the ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool

      Go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).

      If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.

    • Check using OpenSSL

      Enter the following command:

      openssl.exe s_client -connect [yoursite.com]:443 -status

      If OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:

      OCSP Response Status: successful (0x0)

Additional Enabling OCSP Stapling Instructions