How to Enable OCSP stapling in Apache

By | 2013/07/07

OCSP stapling requires Apache 2.3.3 or later. If you are running a stable Apache 2.4 branch, it is wise to take advantage of this security feature. Here is an example configuration that can be used:


SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLCACertificateFile /etc/ssl/apache2/my_ca.crt
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Be sure to have SSLStaplingCache outside of a <VirtualHost> section or Apache will likely not start. I suggest putting the entire setting outside of a <VirtualHost> for simplicity.

Running a test on ssllabs.com will validate if this has been setup properly.

sslstapling

2 thoughts on “How to Enable OCSP stapling in Apache

  1. Bachsau

    SSLCACertificateFile is for verifying client certificates. It is not needed for simple https hosts.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.