HAProxy Enterprise Documentation 2.3r1

set ssl ocsp-response

Set the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.

Description

The Online Certificate Status Protocol (OCSP) allows a client (browser) to see the revocation status of an SSL/TLS certificate in real time. A client contacts an OCSP Responder server to get the OCSP response, which contains the certificate's status (i.e. has it been revoked?). The Responder server is often managed by the certificate issuer. OCSP stapling is a mechanism that allows you to fetch the revocation status ahead of time and attach it to the certificate, saving the client from needing to make that request to the OCSP Responder server.

The OCSP response contains a status for the certificate of either good, revoked, or unknown.

You can store the OCSP response in a file with an .ocsp file extension in the same directory as the certificate. It wil be sent during the SSL/TLS handshake automatically. Alternatively, set it using the Runtime API's set ssl ocsp-response command.

The OCSP value must be a base64-encoded string of the DER-encoded OCSP response. Note that you would need to fetch the OCSP response at a regular interval, since it may change over time.

Examples

Follow these steps to set the OCSP response.

  1. Request the OCSP response from the OCSP Responder server by using the openssl ocsp command. The response will contains the status for each certificate included in the request:

    $ openssl ocsp \
       -issuer issuer.pem \
       -cert server.pem \
       -url http://ocsp.issuer.com \
       -host ocsp.issuer.com:80 \
       -respout response.der
  2. Store the response using the set ssl ocsp-response command:

    $ echo -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | sudo socat stdio /var/run/hapee-2.3/hapee-lb.sock

See also


Next up

Lua