Redis Documentation > Redis Enterprise Software > Security > Certificates > Enable OCSP stapling

Enable OCSP stapling

OCSP (Online Certificate Status Protocol) lets a client or server verify the status (GOOD, REVOKED, or UNKNOWN) of a certificate maintained by a third-party certificate authority (CA).

To check whether a certificate is still valid or has been revoked, a client or server can send a request to the CA’s OCSP server (also called an OCSP responder). The OCSP responder checks the certificate’s status in the CA’s certificate revocation list and sends the status back as a signed and timestamped response.

OCSP stapling overview

With OCSP enabled, the Redis Enterprise server regularly polls the CA’s OCSP responder for the certificate’s status. After it receives the response, the server caches this status until its next polling attempt.

When a client tries to connect to the Redis Enterprise server, they perform a TLS handshake to authenticate the server and create a secure, encrypted connection. During the TLS handshake, OCSP stapling lets the Redis Enterprise server send (or “staple”) the cached certificate status to the client.

If the stapled OCSP response confirms the certificate is still valid, the TLS handshake succeeds and the client connects to the server.

The TLS handshake fails and the client blocks the connection to the server if the stapled OCSP response indicates either:

The certificate has been revoked.
The certificate’s status is unknown. This can happen if the OCSP responder fails to send a response.

Set up OCSP stapling

You can configure and enable OCSP stapling for your Redis Enterprise cluster with the admin console, the REST API, or rladmin.

While OCSP is enabled, the server always staples the cached OCSP status when a client tries to connect. It is the client’s responsibility to use the stapled OCSP status. Some Redis clients, such as Jedis and redis-py, already support OCSP stapling, but others might require additional configuration.

Admin console method

To set up OCSP stapling with the Redis Enterprise admin console:

Use rladmin or the REST API to replace the proxy certificate with a certificate signed by your third-party CA.
Sign in to the Redis Enterprise admin console.
Go to settings > OCSP.
Select the OCSP checkbox.
Select the Test certificate button to verify the certificate is valid. This queries the OCSP responder and caches the result.

Configure the following settings if you don’t want to use their default values:

Name	Default value	Description
Query frequency	3600	The time interval in seconds between OCSP queries to the responder URI.
Response timeout	1	The time interval in seconds to wait for a response before timing out.
Recovery frequency	60	The time interval in seconds between retries after a failed query.
Recovery maximum tries	5	The number of retries before the validation query fails and invalidates the certificate.

Select Save.

REST API method

To set up OCSP stapling with the REST API:

Use the REST API to replace the proxy certificate with a certificate signed by your third-party CA.

To configure and enable OCSP, send a PUT request to the /v1/ocsp endpoint and include an OCSP JSON object in the request body:

{
    "ocsp_functionality": true,
    "query_frequency": 3600,
    "response_timeout": 1,
    "recovery_frequency": 60,
    "recovery_max_tries": 5
}

`rladmin` method

To set up OCSP stapling with the rladmin command-line utility:

Use rladmin to replace the proxy certificate with a certificate signed by your third-party CA.
Update the cluster’s OCSP settings with the rladmin cluster ocsp config command if you don’t want to use their default values.

For example:
```
rladmin cluster ocsp config recovery_frequency set 30
```

Enable OCSP:

rladmin cluster ocsp config ocsp_functionality set enabled

Edit on GitHub

Updated: August 10, 2022

Download PDF

Top