APACHE – ENABLE OCSP STAPLING 

ENABLE OCSP STAPLING INSTALLATION GUIDE
  • Make sure Apache 2.3.3 or above is installed.

apache2 -v

Note: The above applies to Debian & Ubuntu environments; Red Hat & CentOS users, replace apache2 with httpd.

 

  • Edit the virtual host configuration file for your site using the editor of your choice (such as nano or vi):

nano /etc/apache2/sites-available/example.com-ssl.conf

 

  • Turn on OCSP stapling with the following entry:

SSLUseStapling on

 

  • Set the number of seconds to wait for an OCSP response from the CA & prevent user error messages:

SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

  • Point to a full trusted certificate chain file. This must contain all certificates: root, intermediate, and server.

SSLCACertificateFile /etc/apache2/ssl/full_chain.pem

  • Specify the OCSP cached response location:

SSLStaplingCache shmcb:/var/run/ocsp(128000)

Note: This must be placed outside the <VirtualHost> tags or Apache will not start.

Use the example configuration below as a reference:
<IfModule mod_ssl.c>

# Specify cached response location (must be outside <VirtualHost>)
SSLStaplingCache shmcb: /var/run/ocsp(128000)

    <VirtualHost *:443>
ServerAdmin admin@example.com
ServerName example.com
DocumentRoot /var/www

    # Enable SSL & OCSP Stapling
SSLEngine on
SSLUseStapling on

    # Configure Stapling Options
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

# Assign SSL Certificate & Key
SSLCertificateFile /etc/apache2/ssl/example.com/my_certificate.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com/example.key

    # Specify full certificate chain (Root, Intermediate, and Server)
SSLCACertificateFile /etc/apache2/ssl/full_chain.pem

</VirtualHost>
</IfModule>

  • Test your configuration before reloading:

apachectl -t

  • Restart Apache service if OK:

service apache2 reload

 

Last Updated: July 26, 2017