Reference

set ssl ocsp-response

On this page

Set the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.

Description Jump to heading

You can store the OCSP response in a file with a .ocsp file extension in the same directory as the certificate. It will be sent during the SSL/TLS handshake automatically. Alternatively, set it using the Runtime API’s set ssl ocsp-response command.

The OCSP value must be a base64-encoded string of the DER-encoded OCSP response. Note that you would need to fetch the OCSP response at a regular interval, since it may change over time.

Note that there are several rules regarding the content of .ocsp files. An OCSP response is valid when:

  • it has good status
  • it is a single response for the corresponding certificate
  • it is valid at the moment of addition.

When the OCSP response is invalid, the load balancer ignores the update and and emits a warning. See crt reference for more information.

To display the OCSP response, use the Runtime API commands show ssl ocsp-response or show ssl cert

As of version 2.8r1, the load balancer offers improved support for OCSP stapling, including automatic response retrieval. As such, setting the OCSP response via set ssl ocsp-response is unnecessary. To enable OCSP stapling, see: OCSP stapling.

Examples Jump to heading

Follow these steps to set the OCSP response.

  1. Request the OCSP response from the OCSP Responder server by using the openssl ocsp command. The OCSP resposne will be saved to response.der.

    The response contains the status for each certificate included in the request:

    nix
    openssl ocsp \
      -issuer issuer.pem \
      -cert server.pem \
      -url http://ocsp.issuer.com \
      -host ocsp.issuer.com:80 \
      -respout response.der
    nix
    openssl ocsp \
      -issuer issuer.pem \
      -cert server.pem \
      -url http://ocsp.issuer.com \
      -host ocsp.issuer.com:80 \
      -respout response.der

  2. Store the response using the set ssl ocsp-response command. The response will be loaded from response.der:

    nix
    echo -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page set ssl crl-file Next page set ssl tls-key
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences