OCSP stapling is the another way of Checking certificate revocation. OCSP is faster than CRL.This article shows you ” OCSP Stapling configuration in Apache and Nginx “. More infomation about OCSP and CRL has explained in the previous Blog.

SSL stapling on nginx

Add the following lines in vi /etc/nginx/conf/nginx.conf or in virtual host file

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-bundle.trust.crt;

where ca-bundle.trust.crt is the trusted certificate with your ROOT CA and Intermediate Certificate.

Verify the configuration by executing the following command

nginx -t

Restart the service

service nginx restart

SSL stapling in apache2

Add the following lines in vi /etc/httpd/conf/httpd.conf or in virtual host file

SSLUseStapling on
# Set the location of the SSL OCSP Stapling Cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

 

Now this complete, just test your configuration changes.

apachectl -t

service apache2 reload

Verify your OCSP configuration works!!!

 

openssl s_client -connect www.techrunnr.com:443 -status

You will get a section with OCSP response and follwing is the sample output.

OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)

OR from the following site.

https://globalsign.ssllabs.com/

Here you will see OCSP stapling YES

 

© 2018, Techrunnr. All rights reserved.

#1
#2
#3
Questions Answered
Articles Written
Overall Points
Categories: Linux

Prabhin Prabharkaran

He is Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!!

0 Comments

Leave a Reply

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.