Wiki
 

OCSP Stapling

This article explains how to set up OCSP stapling. OCSP stapling speeds up the SSL verification process by attaching a pre-approved certificate to the SSL handshake response. This streamlines the process and removes burdens from the client and SSL certification authorities. For more information on OCSP stapling, see our blog.

This article assumes that you already have the necessary certificate files and an OCSP responder. OCSP stapling is only available for LiteSpeed Web Server 4.2.4 and above.

Set up a secure listener

Add a listener (WebAdmin console > Configuration > Listeners > Add).

Make sure you click Yes under the Secure setting. (The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to.)

Set up certificate files

Open up the listener again (View/Edit).

Under the SSL tab, enter the paths and locations for your certificates and key files.

Set the OCSP values

To set up OCSP stapling, you must set Enable OCSP Stapling to “Yes”. It is also better to put the address of your OCSP responder in the OCSP Responder field (though the server may be able to find it in your CA certificate). Check with your certificate authority (CA) for your OCSP responder's address.

Graceful restart to apply changes

Did it work?

Check in $SERVER_ROOT/temp/ocspcache/. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong.

 
litespeed_wiki/ocsp_stapling.txt · Last modified: 2013/08/07 17:05 by Michael