HAProxy Enterprise Documentation 2.7r1

set ssl ocsp-response

Set the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.


The Online Certificate Status Protocol (OCSP) allows a client (browser) to see the revocation status of an SSL/TLS certificate in real time. A client contacts an OCSP Responder server to get the OCSP response, which contains the certificate's revocation status. The Responder server is often managed by the certificate issuer. OCSP stapling is a mechanism that allows you to fetch the revocation status ahead of time and attach it to the certificate, saving the client from needing to make that request to the OCSP Responder server.

The OCSP response contains a revocation status for the certificate of either good, revoked, or unknown.

You can store the OCSP response in a file with a .ocsp file extension in the same directory as the certificate. It will be sent during the SSL/TLS handshake automatically. Alternatively, set it using the Runtime API's set ssl ocsp-response command.

The OCSP value must be a base64-encoded string of the DER-encoded OCSP response. Note that you would need to fetch the OCSP response at a regular interval, since it may change over time.

To display the OCSP response, use the Runtime API commands show ssl ocsp-response or show ssl cert.


Follow these steps to set the OCSP response.

  1. Request the OCSP response from the OCSP Responder server by using the openssl ocsp command.

    The response contains the status for each certificate included in the request:

    $ openssl ocsp \
       -issuer issuer.pem \
       -cert server.pem \
       -url http://ocsp.issuer.com \
       -host ocsp.issuer.com:80 \
       -respout response.der
  2. Store the response using the set ssl ocsp-response command:

    $ echo -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \
       sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

See also

Next up

set ssl tls-key