Configure OCSP Stapling

Objective

This document provides instructions on how to enable Online Certificate Status Protocol (OCSP) stapling for your certificates. The OCSP stapling provides improved information on the revocation status and also enhances efficiency of bandwidth management. To know more about Volterra support for OCSP stapling, see OCSP Stapling.

Using the instructions provided in this guide, you can request and obtain an OCSP must-staple certificate from a Certificate Authority (CA) and apply them in Volterra virtual host or advertise policy. To know more about the virtual host and advertise policy, see Volterra Virtual Host.


Prerequisites

The following prerequisites apply:


Configuration

Configuration Sequence

You can enable OCSP stapling in one of the following ways:

  • By configuring a certificate with OCSP must-staple extension in the TLS configuration of virtual host.
  • By configuring a certificate with OCSP must-staple extension in the TLS configuration of advertise policy and applying the policy in virtual host configuration.

Enabling OCSP stapling requires performing the following sequence of actions:

Phase Description
Generate Certificate with OCSP Mulst-Staple Extension Request and obtain an OCSP certificate from a CA.
Create Virtual Host Create virtual host and apply the certificate in the TLS configuration of advertise policy or virtual host.

Generate Certificate with OCSP Mulst-Staple Extension

Enabling OCSP stapling requires you to first obtain a certificate with OCSP must-staple extension from a CA.

Note: The self-signed certificates are not supported for OCSP stapling.

Perform the following to obtain a CA-signed certificate with OCSP must-staple extension:

Step 1: Create a TLS configuration file with the CN and DNS entries pointing to your CA domain name. This example shows the sample configuration file tls_config with ocsp-must-2.helloedge.app as the sample domain name.

$ cat tls_config
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = ocsp-must-2.helloedge.app
[v3_req]
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
tlsfeature = status_request
[alt_names]
DNS.1 = ocsp-must-2.helloedge.app

Step 2: Create a Certificate Signing Request (CSR) with the OCSP Must-Staple extension.

$ openssl req -new -out out.csr -newkey rsa:2048 -nodes -sha256 -keyout out.key -config tls_config

Step 3: Request and obtain a certificate from the CA. This example shows a sample request from the Let's Encrypt CA.

$ sudo certbot certonly --register-unsafely-without-email --manual --preferred-challenges dns --must-staple --csr out.csr -d ocsp-must-2.helloedge.app

Step 4: Verify that the certificate is enabled with OCSP support.

Check for the method from the command line:

$ openssl x509 -in <cert-name>.crt -noout -text

Import and view the certificate from browser:

OCSPchk
Figure: OCSP Enabled CA-Signed Certificate

Step 5: Create a virtual host and apply the certificate created in Step 4 to the TLS configuration of advertise policy or virtual host. In case you apply the certificate to the advertise policy, ensure that you apply that policy to the virtual host configuration.

Note: For instructions on creating virtual host, see the Create and Advertise a Virtual Host guide.


Concepts


API References