Are you trying to set up OCSP stapling on Apache?
This guide is for you.
OCSP Stapling is a TLS extension that enables the web server to cache Certificate Revocation status information and not placing the onus on the web client to make the request directly with the Certificate Authority (CA).
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Apache related configuration tasks.
In this context, we shall look into how to configure OCSP stapling on Apache.
How does OCSP Stapling Works ?
OCSP stapling is a more efficient way to handle the verification of certificate information. When a user attempts to visit the site, the digitally time-stamped response is then "stapled" with the TLS/SSL handshake via the Certificate Status Request extension response.
It works as follows:
i. First, the webserver hosting the SSL certificate sends a query to the issuing CA’s server.
ii. Next, the issuing CA’s server responds with the OCSP status and a timestamp.
iii. From this point, whenever a client connects the server staples the OCSP response to the certificate when it’s presented during the handshake.
iv. The client verifies the signature on the timestamp to ensure it came from the issuing CA.
If there is an issue, the client's browser issues an error message.
How to enable OCSP stapling on Apache HTTP SERVER ?
To enable OCSP stapling on Apache, follow the process below.
1. Check for OCSP stapling support on Apache
OCSP stapling is supported on Apache HTTP Server where version >=2.3.3
We run the following command to check the version of the apache installation.
2. Retrieve the CA bundle
Now, we retrieve the root CA and intermediate CA’s certificate in PEM format. Then we save them in a single file. This is for StartSSL’s Root and Intermediate CA certificates.
wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a ca-certs.pem> /dev/null
If the CA provides certificates in DER format then we convert them to PEM. For example DigiCert provides certificates in DER format. To download them and convert to PEM we run the following commands:
wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null
wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null
3. Configuring OCSP Stapling on Apache
Now we shall configure the OCSP stapling.
First, we edit the SSL virtual hosts file by running the below command.
sudo nano /etc/apache2/sites-enabled/example.com-ssl.conf
Then we place these lines inside the <VirtualHost></VirtualHost> directive.
Also, we specify a cache location outside <VirtualHost></VirtualHost> in the same file.
Then we do a configtest to check for errors.
After that, we reload if Syntax OK is displayed.
service apache2 reload
We access the website on IE (on Vista and above) or Firefox 26+ and check the error log.
If the file defined in the SSLCACertificateFile directive is missing, a certificate an error similar to the following is displayed.
[Fri Jan 08 23:36:44.055900 2021] [ssl:error] [pid 1491:tid 139921007208320] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Fri Jan 08 23:36:44.056018 2021] [ssl:error] [pid 1491:tid 139921007208320] AH02235: Unable to configure server certificate for stapling
If no such errors are displayed proceed to the final step.
How to Test OCSP Stapling on Apache ?
Finally, we test if the OCSP stapling is working or not by running the below command.
echo QUIT | openssl s_client -connect ibmimedia.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
The output of the above command will explain if the webserver responded with OCSP data.