OCSP stapling is an improved approach to OCSP for verifying the revocation status of certificates. Rather than having the client contact the OCSP server to validate the certificate status each time it makes a request, FortiWeb can be configured to periodically query the OCSP server and cache a time-stamped OCSP response for a set period. The cached response is then included, or "stapled," with the TLS/SSL handshake so that the client can validate the certificate status when it makes a request.
This method of verifying the revocation status of certificates shifts the resource cost in providing OCSP responses from the client to the presenter of a certificate. In addition, because fewer overall queries to the OCSP responder will be made when OCSP stapling is configured, the total resource cost in verifying the revocation status of certificates is also reduced.
1. Go to System > Certificates > Remote and select an existing policy or create a new one.
2. Configure the following settings:
| Settings | Descriptions |
|---|---|
| Name |
Enter a name for the policy. The maximum length is 63 characters. |
| CA Certificate |
Select the CA certificate of the server certificate to be queried. For details, see Uploading trusted CA certificates. |
| OCSP URL |
Specify the URL of the OCSP responder server. |
| Comments |
Optionally, enter a description of the server OCSP stapling. The maximum length is 199 characters. |
3. Save the configuration.
4. Depending on FortiWeb's operation mode:
If FortiWeb is in Reverse Proxy mode, go to Policy > Server Policy and select an existing policy or create a new one.
If FortiWeb is in True Transparent Proxy mode, go to Server Objects > Server > Server Pool and select an existing policy or create a new one.
5. Select the certificate that you want to query for in the Certificate(Reverse Proxy) or Certificate File (True Transparent Proxy) field.
6. Select Enable OCSP Stapling.
7. For the OCSP Stapling Config, select the corresponding OCSP stapling policy that you want to apply to the certificate. For details, see Configuring a server policy (Reverse Proxy) or Creating a server pool (True Transparent Proxy).