Brad_Parker
Feb 04, 2015Cirrus
OCSP Stapling
Has anyone successfully got OCSP stapling working in 11.6? If so, can you share your configuration?
I've just done this after setting up new certs from Let's Encrypt.
For anyone else hitting issues with OCSP Stapling, I ran into a few gotchas, including:
a) 11.6.0 HF6 has a default Status Age value of 300. Had to up to 86400 as per previous posters recommendation.
b) The default Sign Hash used to identify the certificate to check is SHA256... Let's Encrypt's OCSP responder won't accept SHA256, it needs to be SHA1.
c) The Let's Encrypt's OCSP responder will not include it's own cert in the response. The "Trusted Responders" option needs to be set properly in the OCSP Stapling profile.
A bit more info at the link below, including examples of debugging using openssl CLI commands.
https://blog.routedlogic.net/?p=1235