OCSP stapling is an improved approach to OCSP, for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiADC can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.
This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced. FortiADC allows you to upload an OCSP response file, or configure an OCSP to let FortiADC download the OCSP response from the OCSP server, or both.
This document will show you how to setup the OCSP stapling configures.
Before you begin, you must:
- Have Read-Write permission for System settings.
- Have the server certificate added to Local Certificate
- Have the CA that issues the server certificate added to Intermediate CA
- Have the OCSP signing certificate or CA Chain to verify the signature of the OCSP Responder