Call Us! 1-800-383-5193
Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

Need Help?

Emergency Response Time custom

Our experts have had an average response time of 11.55 minutes in January 2021 to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

How to configure OCSP stapling on Apache

by | Jan 17, 2021

Are you looking for steps to configure OCSP stapling on Apache? We can help you.

Here at Bobcares, we have seen several such Apache related queries as part of our Server Management Services for web hosts and online service providers.

Today, we’ll take a look at how to configure OCSP stapling on Apache.


How OCSP Stapling Works

  • First, the webserver hosting the SSL certificate sends a query to the issuing CA’s server.
  • Next, the issuing CA’s server responds with the OCSP status and a timestamp.
  • From this point, whenever a client connects the server staples the OCSP response to the certificate when it’s presented during the handshake.
  • The client verifies the signature on the timestamp to ensure it came from the issuing CA.

If there is an issue, the client’s browser issues an error message.


How to enable OCSP stapling on Apache

Now let’s see how our Support Engineers enable OCSP stapling on Apache.


Check for OCSP stapling support on Apache

OCSP stapling is supported on Apache HTTP Server where version >=2.3.3

We run the following command to check the version of the apache installation.

apache2 -v
httpd -v


Retrieve the CA bundle

Now, we retrieve the root CA and intermediate CA’s certificate in PEM format. Then we save them in a single file. This is for StartSSL’s Root and Intermediate CA certificates.

cd /etc/ssl
wget -O - | tee -a ca-certs.pem> /dev/null

If the CA provides certificates in DER format then we convert them to PEM. For example DigiCert provides certificates in DER format. To download them and convert to PEM we run the following commands:

cd /etc/ssl
wget -O - | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null
wget -O - | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null


Configuring OCSP Stapling on Apache

Now we shall configure the OCSP stapling.

First, we edit the SSL virtual hosts file by running the below command.

sudo nano /etc/apache2/sites-enabled/

Then we place these lines inside the <VirtualHost></VirtualHost> directive.

SSLCACertificateFile /etc/ssl/ca-certs.pem
SSLUseStapling on

Also, we specify a cache location outside <VirtualHost></VirtualHost> in the same file.

SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Then we do a configtest to check for errors.

apachectl -t

After that, we reload if Syntax OK is displayed.

service apache2 reload

We access the website on IE (on Vista and above) or Firefox 26+ and check the error log.

tail /var/log/apache2/error.log

If the file defined in the SSLCACertificateFile directive is missing, a certificate an error similar to the following is displayed.

[Fri Jan 08 23:36:44.055900 2021] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Fri Jan 08 23:36:44.056018 2021] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling

If no such errors are displayed proceed to the final step.


Testing OCSP Stapling

Finally, we test if the OCSP stapling is working or not by running the below command.

echo QUIT | openssl s_client -connect -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

The output of the above command will explain if the webserver responded with OCSP data.

[Need any further assistance with Apache queries? – We are here to help you.]



Today, we saw how our Support Engineers configure OCSP stapling on the Apache server.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.


var google_conversion_label = "owonCMyG5nEQ0aD71QM";


Submit a Comment

Your email address will not be published. Required fields are marked *