OCSP stapling is an improved approach to OCSP for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiADC can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.
This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced. FortiADC allows you to upload an OCSP response file, configure an OCSP to let FortiADC download the OCSP response from the OCSP server, or both.
Before you begin, you must:
- Have Read-Write permission for System settings.
- Add a local certificate. See Importing local certificates.
- Add a CA certificate. See Importing intermediate CAs.
- Add an OCSP configuration or have an OCSP response file. See Adding OCSPs.
To configure OCSP stapling:
- Go to System > OCSP.
- Click the OCSP Stapling tab.
- Click + Import to display the configuration editor.
- Complete the configuration as described in OCSP stapling configuration.
- Click Save.
|Name||Enter the mkey.|
|Local Certificate||Select the local certificate to add to the OCSP stapling configuration.|
|Issuer Certificate||Select the CA certificate to add to the OCSP stapling configuration.|
|OCSP||Select the OCSP configuration to add to the OCSP stapling configuration. If an OCSP configuration is not selected, import an OCSP Response from a file (see below). You can both select an OCSP configuration and upload an OCSP response file; in this case, FortiADC will first use the OCSP response file and then automatically update using the OCSP configuration.|
|Response Update Ahead Time||
Available only when you select an OCSP configuration. This option is meaningful only when the next update field in the OCSP response is present in a selected OCSP stapling response.
Enter the time before the next scheduled update at which FortiADC will start the download for the next update. The default value is 1 hour.
|Response Update Interval||
Available only when you select an OCSP configuration. Enter the next update interval if the downloaded OCSP response is the same or FortiADC fails to download the new OCSP response. The default value is 5 minutes.
If the next update field in the OCSP response is not present, FortiADC will attempt to download the next update periodically according to this parameter.
|OCSP Response||Enable to import an OCSP response from a file. PEM and DER formats are supported.|
To configure OCSP stapling using the CLI:
config system certificate OCSP_stapling
Note: When configuring OCSP stapling in the CLI, only PEM format file types are supported.