Set the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.
Description Jump to heading
You can store the OCSP response in a file with a
.ocsp file extension in the same directory as the certificate. It will be sent during the SSL/TLS handshake automatically. Alternatively, set it using the Runtime API’s
set ssl ocsp-response command.
The OCSP value must be a base64-encoded string of the DER-encoded OCSP response. Note that you would need to fetch the OCSP response at a regular interval, since it may change over time.
Note that there are several rules regarding the content of
.ocsp files. An OCSP response is valid when:
- it has
- it is a single response for the corresponding certificate
- it is valid at the moment of addition.
When the OCSP response is invalid, the load balancer ignores the update and and emits a warning. See crt reference for more information.
As of version
2.8r1, the load balancer offers improved support for OCSP stapling, including automatic response retrieval. As such, setting the OCSP response via
set ssl ocsp-response is unnecessary. To enable OCSP stapling, see: OCSP stapling.
Examples Jump to heading
Follow these steps to set the OCSP response.
Request the OCSP response from the OCSP Responder server by using the openssl ocsp command. The OCSP resposne will be saved to
The response contains the status for each certificate included in the request:bashopenssl ocsp \-issuer issuer.pem \-cert server.pem \-url http://ocsp.issuer.com \-host ocsp.issuer.com:80 \-respout response.derbashopenssl ocsp \-issuer issuer.pem \-cert server.pem \-url http://ocsp.issuer.com \-host ocsp.issuer.com:80 \-respout response.der
Store the response using the
set ssl ocsp-responsecommand. The response will be loaded from
response.der:bashecho -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \sudo socat stdio tcp4-connect:127.0.0.1:9999bashecho -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \sudo socat stdio tcp4-connect:127.0.0.1:9999