Reference

update ssl ocsp-response

Request an updated OCSP response.

Description Jump to heading

Available since

  • HAProxy 2.8
  • HAProxy Enterprise 2.8r1

When OCSP is enabled, the load balancer will automatically, and on a specified interval, fetch the OCSP response for each of its configured certificates. You can also request an immediate retrieval of this response using update ssl ocsp-response.

To display the last updated OCSP response, use the Runtime API commands show ssl ocsp-response or show ssl cert.

Examples Jump to heading

Follow these steps to update the OCSP response.

  1. Request an immediate update of the OCSP response for the certificate specified. Note that the certificate is specified by its path (in this example /etc/hapee-2.8/certs/cert.pem).

    bash
    echo -e "update ssl ocsp-response /etc/hapee-2.8/certs/cert.pem" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    bash
    echo -e "update ssl ocsp-response /etc/hapee-2.8/certs/cert.pem" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
  2. The load balancer will retrieve the latest response. You can then show the response using show ssl ocsp-response, providing the Certificate ID key (use show ssl ocsp-response without providing a Certificate ID key to list all responses for all certificates, including their Certficate ID keys):

    bash
    echo -e "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    bash
    echo -e "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | \
    sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    bash
    OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com
    Produced At: May 27 15:43:38 2021 GMT
    Responses:
    Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
    Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
    Serial Number: 100A
    Cert Status: good
    This Update: May 27 15:43:38 2021 GMT
    Next Update: Oct 12 15:43:38 2048 GMT
    [...]
    output
    bash
    OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com
    Produced At: May 27 15:43:38 2021 GMT
    Responses:
    Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
    Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
    Serial Number: 100A
    Cert Status: good
    This Update: May 27 15:43:38 2021 GMT
    Next Update: Oct 12 15:43:38 2048 GMT
    [...]

See also Jump to heading

If this page was useful, please, Leave the feedback.