Online Certificate Status Protocol, or OCSP, is in short a new way of checking whether an SSL certificate has been revoked. The older method - Certificate Revocation List (CRL) protocol - is still widely used today however it isn't a partuclarly fast way of handling this type of process as it must download heaps of information like certificate serial numbers and its status. OCSP, on the other hand, has streamlined the verification by querying the CA's OCSP request server, thus eliminating the need to download potentially large amounts of data.
Today, I enabled OCSP on my AWS EC2 instance hosting Ghost, as presented by Bitnami. Here's how:
By default, my server was built using Apache web server, so this guide pertains to that specific configuration. If you'd like to know how to do this on an Nginx or Windows web server, please see this.
- To begin, verify that your version of Apache is at least 2.3.3 using either of the following commands:
apachectl -V Server version: Apache/2.4.41 (Unix)
- Verify your server has a connection to the OCSP server. At least in my case, running the following command resulted in a failure to write to ping.html, however if you look closely to the output, it did successfully reach the server.
Resolving ocsp.digicert.com (ocsp.digicert.com)... 22.214.171.124
Connecting to ocsp.digicert.com (ocsp.digicert.com)|126.96.36.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5 [application/ocsp-response]
ping.html: Permission denied
Cannot write to ‘ping.html’ (Success).
Now the scary part! Configure your server to use OCSP Stapling by editing your sites VirtualHost SSL file.
Bitnami uses a self named configuration file which you may already be used to
Add the following line to the inside of your :443 VirtualHost block
Then, add the following line to the outside of your VirtualHost block
Here is a snippet from my configuration
Next, restart your Apache service.
sudo /opt/bitnami/ctlscript.sh restart apache
Finally, you want to verify that OCSP Stapling is indeed now enabled
Go to https://www.digicert.com/help and type in the domain name of your website!
If everything was correct to begin with, you the changes you made here are good, you should see something like this