Fortinet black logo

Administration Guide

Configuring OCSP stapling

Configuring OCSP stapling

OCSP stapling is an improved approach to OCSP for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.

This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.

tooltip icon OCSP stapling is available in Reverse Proxy, True Transparent Proxy, and WCCP mode.
To configure OCSP stapling
  1. Go to System > Certificates > Remote and select an existing policy or create a new one.
  2. Configure these settings:
  3. Name

    Enter a name for the policy. The maximum length is 63 characters.

    CA Certificate

    Select the CA certificate of the server certificate to be queried. For details, see Uploading trusted CA certificates.

    OCSP URL

    Specify the URL of the OCSP responder server.

    Comments

    Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters.

  4. Save the configuration.
  5. Depending on FortiWeb's operation mode:
  6. Reverse Proxy

    Go to Policy > Server Policy and select an existing policy or create a new one.

    True Transparent Proxy

    Go to Server Objects > Server > Server Pool and select an existing policy or create a new one.

    WCCP

    Go to Server Objects > Server > Server Pool and select an existing policy or create a new one.

  7. Select the certificate that you want to query for in the Certificate(Reverse Proxy mode) or Certificate File (True Transparent Proxy and WCCP mode) field.
  8. Select Enable OCSP Stapling.
  9. For OCSP Stapling Config, select the corresponding OCSP stapling policy that you want to apply to the certificate. For details, see Configuring an HTTP server policy (Reverse Proxy mode) or Creating a server pool (True Transparent Proxy and WCCP mode).

Configuring OCSP stapling

OCSP stapling is an improved approach to OCSP for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.

This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.

tooltip icon OCSP stapling is available in Reverse Proxy, True Transparent Proxy, and WCCP mode.
To configure OCSP stapling
  1. Go to System > Certificates > Remote and select an existing policy or create a new one.
  2. Configure these settings:
  3. Name

    Enter a name for the policy. The maximum length is 63 characters.

    CA Certificate

    Select the CA certificate of the server certificate to be queried. For details, see Uploading trusted CA certificates.

    OCSP URL

    Specify the URL of the OCSP responder server.

    Comments

    Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters.

  4. Save the configuration.
  5. Depending on FortiWeb's operation mode:
  6. Reverse Proxy

    Go to Policy > Server Policy and select an existing policy or create a new one.

    True Transparent Proxy

    Go to Server Objects > Server > Server Pool and select an existing policy or create a new one.

    WCCP

    Go to Server Objects > Server > Server Pool and select an existing policy or create a new one.

  7. Select the certificate that you want to query for in the Certificate(Reverse Proxy mode) or Certificate File (True Transparent Proxy and WCCP mode) field.
  8. Select Enable OCSP Stapling.
  9. For OCSP Stapling Config, select the corresponding OCSP stapling policy that you want to apply to the certificate. For details, see Configuring an HTTP server policy (Reverse Proxy mode) or Creating a server pool (True Transparent Proxy and WCCP mode).