Setting up OCSP Stapling with OpenLiteSpeed

How Can We Help?
< Back
You are here:
Print

Setting up OCSP Stapling with OpenLiteSpeed

This article explains how to set up OCSP stapling. OCSP stapling speeds up the SSL verification process by attaching a pre-approved certificate to the SSL handshake response. This streamlines the process and removes burdens from the client and SSL certification authorities. For more information on OCSP stapling, see our blog.

This article assumes that you already have the necessary certificate files and an OCSP responder. OCSP stapling is only available for OpenLiteSpeed 1.2 and above.

Set up a Secure Listener

Add a listener (WebAdmin console > Configuration > Listeners > Add). Make sure you click “Yes” under the Secure setting. (The other settings should be customized to listen to the correct IP and port for the virtual hosts this listener will be mapping to.)

Set up Certificate Files

Open up the listener again (View/Edit). Under the SSL tab, enter the paths and locations for your certificates and key files.

Set the OCSP Values

When setting up OCSP stapling with OpenLiteSpeed, you must set Enable OCSP Stapling to “Yes”. It is also better to put the address of your OCSP responder in the OCSP Responder field (though the server may be able to find it in your CA certificate). Check with your certificate authority (CA) for your OCSP responder’s address.

Graceful restart to apply changes
Did It Work?

Check in $SERVER_ROOT/temp/ocspcache/. If a file has been created there, then your OCSP stapling is working. If not, check your error logs for what went wrong.