OCSP stapling is an improved approach to OCSP for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.
This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.
|OCSP stapling is available in Reverse Proxy, True Transparent Proxy, and WCCP mode.
To configure OCSP stapling
- Go to Server Objects > Certificates > OCSP Stapling and select an existing policy or create a new one.
- Configure these settings:
Enter a name for the policy. The maximum length is 63 characters.
Select the local certificate of the server certificate to be queried. For details, see local certificate related information on How to offload or inspect HTTPS.
Specify the URL of the OCSP responder server.
Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters.
- Click OK.