Online Certificate Status Protocol, or OCSP, is in short a new way of checking whether an SSL certificate has been revoked. The older method - Certificate Revocation List (CRL) protocol - is still widely used today however it isn't a partuclarly fast way of handling this type of process as it must download heaps of information like certificate serial numbers and its status. OCSP, on the other hand, has streamlined the verification by querying the CA's OCSP request server, thus eliminating the need to download potentially large amounts of data.

Today, I enabled OCSP on my AWS EC2 instance hosting Ghost, as presented by Bitnami. Here's how:

By default, my server was built using Apache web server, so this guide pertains to that specific configuration. If you'd like to know how to do this on an Nginx or Windows web server, please see this.

  1. To begin, verify that your version of Apache is at least 2.3.3 using either of the following commands:
    apachectl -V
    httpd -v
apachectl -V
 Server version: Apache/2.4.41 (Unix)
  1. Verify your server has a connection to the OCSP server. At least in my case, running the following command resulted in a failure to write to ping.html, however if you look closely to the output, it did successfully reach the server.
    wget ocsp.digicert.com/ping.html

http://ocsp.digicert.com/ping.html
Resolving ocsp.digicert.com (ocsp.digicert.com)... 72.21.91.29
Connecting to ocsp.digicert.com (ocsp.digicert.com)|72.21.91.29|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5 [application/ocsp-response]
ping.html: Permission denied

Cannot write to ‘ping.html’ (Success).

  1. Now the scary part! Configure your server to use OCSP Stapling by editing your sites VirtualHost SSL file.
    Bitnami uses a self named configuration file which you may already be used to
    vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

    Add the following line to the inside of your :443 VirtualHost block
    SSLUseStapling on

    Then, add the following line to the outside of your VirtualHost block
    SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

    Here is a snippet from my configuration
    ocsp-config

  2. Next, restart your Apache service.
    sudo /opt/bitnami/ctlscript.sh restart apache

  3. Finally, you want to verify that OCSP Stapling is indeed now enabled
    Go to https://www.digicert.com/help and type in the domain name of your website!

    If everything was correct to begin with, you the changes you made here are good, you should see something like this
    digicert-verification

Sources: https://www.digicert.com/kb/ssl-support/apache-enable-ocsp-stapling-on-server.htm