Fortinet black logo

Administration Guide

Configuring OCSP stapling

Configuring OCSP stapling

OCSP stapling is an improved approach to OCSP for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.

This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.

tooltip icon OCSP stapling is available in Reverse Proxy, True Transparent Proxy, and WCCP mode.
To configure OCSP stapling
  1. Go to Server Objects > Certificates > OCSP Stapling and select an existing policy or create a new one.
  2. Configure these settings:

    Name

    Enter a name for the policy. The maximum length is 63 characters.

    CA Certificate

    Select the CA certificate of the server certificate to be queried. For details, see Uploading trusted CA certificates.

    Local Certificate

    Select the local certificate of the server certificate to be queried. For details, see local certificate related information on How to offload or inspect HTTPS.

    OCSP URL

    Specify the URL of the OCSP responder server.

    Comments

    Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters.

  3. Click OK.

Configuring OCSP stapling

Configuring OCSP stapling

OCSP stapling is an improved approach to OCSP for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.

This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.

tooltip icon OCSP stapling is available in Reverse Proxy, True Transparent Proxy, and WCCP mode.
To configure OCSP stapling
  1. Go to Server Objects > Certificates > OCSP Stapling and select an existing policy or create a new one.
  2. Configure these settings:

    Name

    Enter a name for the policy. The maximum length is 63 characters.

    CA Certificate

    Select the CA certificate of the server certificate to be queried. For details, see Uploading trusted CA certificates.

    Local Certificate

    Select the local certificate of the server certificate to be queried. For details, see local certificate related information on How to offload or inspect HTTPS.

    OCSP URL

    Specify the URL of the OCSP responder server.

    Comments

    Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters.

  3. Click OK.