Are you looking for steps to configure OCSP stapling on Apache? We can help you.
Here at Bobcares, we have seen several such Apache related queries as part of our Server Management Services for web hosts and online service providers.
Today, we’ll take a look at how to configure OCSP stapling on Apache.
How OCSP Stapling Works
- First, the webserver hosting the SSL certificate sends a query to the issuing CA’s server.
- Next, the issuing CA’s server responds with the OCSP status and a timestamp.
- From this point, whenever a client connects the server staples the OCSP response to the certificate when it’s presented during the handshake.
- The client verifies the signature on the timestamp to ensure it came from the issuing CA.
If there is an issue, the client’s browser issues an error message.
How to enable OCSP stapling on Apache
Now let’s see how our Support Engineers enable OCSP stapling on Apache.
Check for OCSP stapling support on Apache
OCSP stapling is supported on Apache HTTP Server where version >=2.3.3
We run the following command to check the version of the apache installation.
apache2 -v httpd -v
Retrieve the CA bundle
Now, we retrieve the root CA and intermediate CA’s certificate in PEM format. Then we save them in a single file. This is for StartSSL’s Root and Intermediate CA certificates.
cd /etc/ssl wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a ca-certs.pem> /dev/null
If the CA provides certificates in DER format then we convert them to PEM. For example DigiCert provides certificates in DER format. To download them and convert to PEM we run the following commands:
cd /etc/ssl wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null
Configuring OCSP Stapling on Apache
Now we shall configure the OCSP stapling.
First, we edit the SSL virtual hosts file by running the below command.
sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf
Then we place these lines inside the <VirtualHost></VirtualHost> directive.
SSLCACertificateFile /etc/ssl/ca-certs.pem SSLUseStapling on
Also, we specify a cache location outside <VirtualHost></VirtualHost> in the same file.
Then we do a configtest to check for errors.
After that, we reload if Syntax OK is displayed.
service apache2 reload
We access the website on IE (on Vista and above) or Firefox 26+ and check the error log.
If the file defined in the SSLCACertificateFile directive is missing, a certificate an error similar to the following is displayed.
[Fri Jan 08 23:36:44.055900 2021] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate! [Fri Jan 08 23:36:44.056018 2021] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling
If no such errors are displayed proceed to the final step.
Testing OCSP Stapling
Finally, we test if the OCSP stapling is working or not by running the below command.
echo QUIT | openssl s_client -connect bobcares.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
The output of the above command will explain if the webserver responded with OCSP data.
[Need any further assistance with Apache queries? – We are here to help you.]
Today, we saw how our Support Engineers configure OCSP stapling on the Apache server.