OCSP (Online Certificate Status Protocol) lets a client or server verify the status (GOOD, REVOKED, or UNKNOWN) of a certificate maintained by a third-party certificate authority (CA).

To check whether a certificate is still valid or has been revoked, a client or server can send a request to the CA’s OCSP server (also called an OCSP responder). The OCSP responder checks the certificate’s status in the CA’s certificate revocation list and sends the status back as a signed and timestamped response.

OCSP stapling overview

With OCSP enabled, the Redis Enterprise server regularly polls the CA’s OCSP responder for the certificate’s status. After it receives the response, the server caches this status until its next polling attempt.

When a client tries to connect to the Redis Enterprise server, they perform a TLS handshake to authenticate the server and create a secure, encrypted connection. During the TLS handshake, OCSP stapling lets the Redis Enterprise server send (or “staple”) the cached certificate status to the client.

If the stapled OCSP response confirms the certificate is still valid, the TLS handshake succeeds and the client connects to the server.

The TLS handshake fails and the client blocks the connection to the server if the stapled OCSP response indicates either:

  • The certificate has been revoked.

  • The certificate’s status is unknown. This can happen if the OCSP responder fails to send a response.

Set up OCSP stapling

You can configure and enable OCSP stapling for your Redis Enterprise cluster with the admin console, the REST API, or rladmin.

While OCSP is enabled, the server always staples the cached OCSP status when a client tries to connect. It is the client’s responsibility to use the stapled OCSP status. Some Redis clients, such as Jedis and redis-py, already support OCSP stapling, but others might require additional configuration.

Admin console method

To set up OCSP stapling with the Redis Enterprise admin console:

  1. Go to Cluster > Security > OCSP.

  2. In the Responder URI section, select Replace Certificate to update the proxy certificate.

  3. Provide the key and certificate signed by your third-party CA, then select Save.

  4. Configure query settings if you don’t want to use their default values:

    Name Default value Description
    Query frequency 1 hour The time interval between OCSP queries to the responder URI.
    Response timeout 1 second The time interval in seconds to wait for a response before timing out.
    Recovery frequency 1 minute The time interval between retries after a failed query.
    Recovery maximum tries 5 The number of retries before the validation query fails and invalidates the certificate.
  5. Select Enable to turn on OCSP stapling.

REST API method

To set up OCSP stapling with the REST API:

  1. Use the REST API to replace the proxy certificate with a certificate signed by your third-party CA.

  2. To configure and enable OCSP, send a PUT request to the /v1/ocsp endpoint and include an OCSP JSON object in the request body:

    {
        "ocsp_functionality": true,
        "query_frequency": 3600,
        "response_timeout": 1,
        "recovery_frequency": 60,
        "recovery_max_tries": 5
    }
    

rladmin method

To set up OCSP stapling with the rladmin command-line utility:

  1. Use rladmin to replace the proxy certificate with a certificate signed by your third-party CA.

  2. Update the cluster’s OCSP settings with the rladmin cluster ocsp config command if you don’t want to use their default values.

    For example:

    rladmin cluster ocsp config recovery_frequency set 30
    
  3. Enable OCSP:

    rladmin cluster ocsp config ocsp_functionality set enabled