SSL – How to Enable OCSP Stapling in Apache 2.4

apache-2.4ocspopensslssl

Windows Server 2022
Apache x64 2.4.57
OpenSSL 3.0.8

My Apache SSL conf has this:

SSLUseStapling On
SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(65536)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600

But https://entrust.ssllabs.com/ reports this:

Is there some setting I am missing?

Best Answer

In the images the properties of the certificate are shown. OCSP Must Staple is a property of the certificate, i.e. that the certificate should only be used together with OCSP stapling - see here for more information on this and how to create such certificates.

The configuration of the server you show instead shows how to make OCSP stapling work with the Apache web server. It does not affect the OCSP Must Staple property of the certificate and thus does not affect the display of the certificate properties either. But if you use a certificate with this property and don't have OCSP stapling enabled in the web server, then the TLS handshake will fail if the client enforces this certificate property.

Related Solutions

SSL – Fix ‘Unable to Locally Verify the Issuer’s Authority’ for GeoTrust SSL CA

The server is not configured properly — it does not send the required intermediate certificate. Note that there is only one certificate in the certificate chain:

---
Certificate chain
 0 s:/serialNumber=8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq/C=AU/ST=New South Wales/L=North Sydney/O=SERCO GROUP PTY LIMITED/CN=*.131500.com.au
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---

There should be a second certificate after this with the subject s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA.

In Apache intermediate certificates are configured using the SSLCertificateChainFile option.

As for why this site seems to work for you in Chrome, there are several possible explanations:

Different browsers may use separate certificate stores, and your Chrome may have the GeoTrust SSL CA certificate trusted directly (however, this is unlikely to be the case if the CA intended to use that certificate as intermediate).
Browsers often cache intermediate certificates in their certificate stores, therefore if you previously had visited another site which had the GeoTrust SSL CA intermediate certificate properly configured, you may then be able to access a site which uses the same intermediate certificate, but does not properly send it to clients, without security warnings, because the browser can get the required intermediate certificate from its cache and is able to verify the certificate chain.
The end entity certificate in question contains an HTTP URL which could be used to fetch the intermediate certificate:
```
    Authority Information Access: 
        OCSP - URI:http://gtssl-ocsp.geotrust.com
        CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt
```
(the CA Issuers link here points to the issuer certificate in the DER format). Some systems may be able to use such links to fetch the intermediate certificate even if it is not returned by the server. According to the Mozilla Bug 399324, Firefox (and other software based on Mozilla) is not currently able to follow such AIA links; however, Internet Explorer is able to use them.

Ssl – Openssl error 19: “Self signed certificate in certificate chain” when keyed by GoDaddy

If whynopadlock.com and ssltest.net complain about the certificate while ssllabs.com say that things are fine, check your virtual hosts configuration. SSLLabs.com supports SNI while whynopadlock.com, ssltest.net and older versions of IE do not.

When SNI is not supported by the client, no server name will be available to the webserver which will then fallback to the first matching virtualhost. Perhaps you have another virtualhost for testing purposes that takes precedence over your main website.

The solution is to change this order or use a dedicated IP address for this host.

Best Answer

Related Solutions

SSL – Fix ‘Unable to Locally Verify the Issuer’s Authority’ for GeoTrust SSL CA

Ssl – Openssl error 19: “Self signed certificate in certificate chain” when keyed by GoDaddy

Related Topic