Reference

set ssl ocsp-response

Set the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.

Description Jump to heading

Available since

  • HAProxy 2.5
  • HAProxy Enterprise 2.5r1

You can store the OCSP response in a file with a .ocsp file extension in the same directory as the certificate. It will be sent during the SSL/TLS handshake automatically. Alternatively, set it using the Runtime API’s set ssl ocsp-response command.

The OCSP value must be a base64-encoded string of the DER-encoded OCSP response. Note that you would need to fetch the OCSP response at a regular interval, since it may change over time.

To display the OCSP response, use the Runtime API commands show ssl ocsp-response or show ssl cert

As of version 2.8r1, the load balancer offers improved support for OCSP stapling, including automatic response retrieval. As such, setting the OCSP response via set ssl ocsp-response is unnecessary. To enable OCSP stapling, see: OCSP stapling.

Examples Jump to heading

Follow these steps to set the OCSP response.

  1. Request the OCSP response from the OCSP Responder server by using the openssl ocsp command. The OCSP resposne will be saved to response.der.

    The response contains the status for each certificate included in the request:

    bash
    openssl ocsp \
    -issuer issuer.pem \
    -cert server.pem \
    -url http://ocsp.issuer.com \
    -host ocsp.issuer.com:80 \
    -respout response.der
    bash
    openssl ocsp \
    -issuer issuer.pem \
    -cert server.pem \
    -url http://ocsp.issuer.com \
    -host ocsp.issuer.com:80 \
    -respout response.der
  2. Store the response using the set ssl ocsp-response command. The response will be loaded from response.der:

    bash
    echo -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    bash
    echo -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999

See also Jump to heading

If this page was useful, please, Leave the feedback.

© 2023 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences