Configure OCSP Stappling
Configure OCSP Stappling
What is OCSP

OCSP is a protocol to check the revocation status of a certificate. This check is performed on the CA

Implementation example found in this Wikipedia article:

  • Alice and Bob have public key certificates issued by Ivan, the certificate authority (CA).
  • Alice wishes to perform a transaction with Bob and sends him her public key certificate.
  • Bob, concerned that Alice’s private key may have been compromised, creates an ‘OCSP request’ that contains Alice’s certificate serial number and sends it to Ivan.
  • Ivan’s OCSP responder reads the certificate serial number from Bob’s request. The OCSP responder uses the certificate serial number to look up the revocation status of Alice’s certificate. The OCSP responder looks in a CA database that Ivan maintains. In this scenario, Ivan’s CA database is the only trusted location where a compromise to Alice’s certificate would be recorded.
  • Ivan’s OCSP responder confirms that Alice’s certificate is still OK, and returns a signed, successful ‘OCSP response’ to Bob.
  • Bob cryptographically verifies Ivan’s signed response. Bob has stored Ivan’s public key sometime before this transaction. Bob uses Ivan’s public key to verify Ivan’s response.
  • Bob completes the transaction with Alice.
What is the OCSP Stappling

The major difference between OCSP and OCSP stappling is that the revocation request is performed by the certificate holder instead of the website client. Regularly, the certificate holder performs OCSP request to the OCSP server and save the reply (a signed OCSP response). This signed response is provided to client.

Implementation with Apache on Ubuntu 16.04

You have to edit two different files:

  • your apache ssl conf file /etc/apache2/mods-enabled/ssl.conf . Add this line in the module section mod_ssl.c
    SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(128000)

    The parameter ( 128000 ) is the byte size of the cache in the memory (RAM)

  • your vhost file normally located on /etc/apache2/sites-enabled/yourfile.conf . Add the following lines in the vhost section of your choice:
    SSLUseStapling on
    SSLStaplingReturnResponderErrors off
    SSLStaplingResponderTimeout 5

The last step: restart apache with systemctl restart apache2


My Powershell script categories

Configure OCSP Stappling

Leave a Reply

Your email address will not be published.