Reference
set ssl ocsp-response
Set the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.
Description Jump to heading
Available since
- HAProxy 2.5
- HAProxy Enterprise 2.5r1
You can store the OCSP response in a file with a .ocsp file extension in the same directory as the certificate. It will be sent during the SSL/TLS handshake automatically. Alternatively, set it using the Runtime API’s set ssl ocsp-response command.
The OCSP value must be a base64-encoded string of the DER-encoded OCSP response. Note that you would need to fetch the OCSP response at a regular interval, since it may change over time.
To display the OCSP response, use the Runtime API commands show ssl ocsp-response or show ssl cert
As of version 2.8r1, the load balancer offers improved support for OCSP stapling, including automatic response retrieval. As such, setting the OCSP response via set ssl ocsp-response is unnecessary. To enable OCSP stapling, see: OCSP stapling.
Examples Jump to heading
Follow these steps to set the OCSP response.
-
Request the OCSP response from the OCSP Responder server by using the openssl ocsp command. The OCSP resposne will be saved to
response.der.The response contains the status for each certificate included in the request:
bashopenssl ocsp \-issuer issuer.pem \-cert server.pem \-url http://ocsp.issuer.com \-host ocsp.issuer.com:80 \-respout response.derbashopenssl ocsp \-issuer issuer.pem \-cert server.pem \-url http://ocsp.issuer.com \-host ocsp.issuer.com:80 \-respout response.der -
Store the response using the
set ssl ocsp-responsecommand. The response will be loaded fromresponse.der:bashecho -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \sudo socat stdio tcp4-connect:127.0.0.1:9999bashecho -e "set ssl ocsp-response <<\n$(base64 response.der)\n" | \sudo socat stdio tcp4-connect:127.0.0.1:9999
See also Jump to heading
If this page was useful, please, Leave the feedback.