Instructions for Enabling OCSP Stapling on Your Apache Server
For more information about the Online Certificate Status Protocol (OCSP) and the benefits of OCSP stapling, see Enable OCSP Stapling on Your Server.
Apache: How to Enable OCSP Stapling
These instructions were created using Apache 2.4.7. Depending on which version of Apache you are using, you may need to modify these instructions accordingly.
-
Check your version of Apache
Apache supports OCSP stapling in Apache HTTPD Server 2.3.3+.
To see which version of Apache you are running, use one of the following commands:
-
apache2 -v
-
httpd -v
-
-
Check if OCSP stapling is enabled.
-
To see if OCSP stapling is enabled, do one of the following:
-
Check with the ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool
Go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).
If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.
If OCSP stapling is not enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Not Enabled, and you now need to see if the Intermediate Certificate is properly installed.
-
Check using OpenSSL
Enter the following command:
openssl.exe s_client -connect [yoursite.com]:443 -statusIf OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:
OCSP Response Status: successful (0x0)If OCSP stapling is not enabled, you will not see any OCSP Response Data, and you now need to see if the Intermediate Certificate is properly installed.
-
-
Check that the Intermediate Certificate is properly installed.
Before you can enable OCSP stapling on your Apache server, the Intermediate Certificate must be properly installed.
To see if the intermediate certificate is properly installed, go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).
Under Certificate Name matches¡, you should see your Server Certificate and the Intermediate Certificate.
-
If the server is not sending the required intermediate certificate, you will need to configure it in the ¡°³§³§³¢°ä±ð°ù³Ù¾±´Ú¾±³¦²¹³Ù±ð°ä³ó²¹¾±²Ô¹ó¾±±ô±ð¡± line of your SSL configuration. See Apache SSL Certificate Installation or EV SSL Certificate Installation :: Apache.
-
-
Verify the Apache server¡¯s connection to the OCSP server.
Enter the following command:
curl ocsp.digicert.com/ping.htmlYou should receive the ¡°You have successfully reached the ¶ºÒõ¹Ý OCSP Service¡± message.
If you don¡¯t have curl installed, try using the wget command:
wget ocsp.digicert.com/ping.htmlIf it downloads the page, you are connected. To view the contents of the page, enter the following command:
cat ping.htmlYou should receive the ¡°You have successfully reached the ¶ºÒõ¹Ý OCSP Service¡± message.
-
Configure your Apache server to use OCSP Stapling.
Use the following instruction to enable OCSP stapling on your Apache server after verifying that it supports OSCP stapling and can connect to the OCSP server.
-
Edit your site¡¯s VirtualHost SSL configuration.
Add the following line INSIDE the <VirtualHost></VirtualHost> block:
SSLUseStapling onAdd the following line OUTSIDE the <VirtualHost></VirtualHost> block:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)For example:
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
SSLEngine on</VirtualHost>
SSLProtocol all -SSLv3 -SSLv2
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/¶ºÒõ¹ÝCA.crt
SSLUseStapling on
-
Check the configuration for errors with the Apache Control service.
Apachectl -t -
Reload the Apache service.
service apache2 reload
-
-
Verify that OCSP stapling is now enabled.
To see if OCSP stapling is enabled, do one of the following:
-
Check with the ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool
Go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).
If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.
-
Check using OpenSSL
Enter the following command:
openssl.exe s_client -connect [yoursite.com]:443 -statusIf OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:
OCSP Response Status: successful (0x0)
-