Enable OCSP stapling
OCSP (Online Certificate Status Protocol) lets a client or server verify the status (GOOD
, REVOKED
, or UNKNOWN
) of a certificate maintained by a third-party certificate authority (CA).
To check whether a certificate is still valid or has been revoked, a client or server can send a request to the CA’s OCSP server (also called an OCSP responder). The OCSP responder checks the certificate’s status in the CA’s certificate revocation list and sends the status back as a signed and timestamped response.
OCSP stapling overview
With OCSP enabled, the Redis Enterprise server regularly polls the CA’s OCSP responder for the certificate’s status. After it receives the response, the server caches this status until its next polling attempt.
When a client tries to connect to the Redis Enterprise server, they perform a TLS handshake to authenticate the server and create a secure, encrypted connection. During the TLS handshake, OCSP stapling lets the Redis Enterprise server send (or “staple”) the cached certificate status to the client.
If the stapled OCSP response confirms the certificate is still valid, the TLS handshake succeeds and the client connects to the server.
The TLS handshake fails and the client blocks the connection to the server if the stapled OCSP response indicates either:
-
The certificate has been revoked.
-
The certificate’s status is unknown. This can happen if the OCSP responder fails to send a response.
Set up OCSP stapling
You can configure and enable OCSP stapling for your Redis Enterprise cluster with the admin console, the REST API, or rladmin
.
While OCSP is enabled, the server always staples the cached OCSP status when a client tries to connect. It is the client’s responsibility to use the stapled OCSP status. Some Redis clients, such as Jedis and redis-py, already support OCSP stapling, but others might require additional configuration.
Admin console method
To set up OCSP stapling with the Redis Enterprise admin console:
-
Use
rladmin
or the REST API to replace the proxy certificate with a certificate signed by your third-party CA. -
Sign in to the Redis Enterprise admin console.
-
Go to settings > OCSP.
-
Select the OCSP checkbox.
-
Select the Test certificate button to verify the certificate is valid. This queries the OCSP responder and caches the result.
-
Configure the following settings if you don’t want to use their default values:
Name Default value Description Query frequency 3600 The time interval in seconds between OCSP queries to the responder URI. Response timeout 1 The time interval in seconds to wait for a response before timing out. Recovery frequency 60 The time interval in seconds between retries after a failed query. Recovery maximum tries 5 The number of retries before the validation query fails and invalidates the certificate. -
Select Save.
REST API method
To set up OCSP stapling with the REST API:
-
Use the REST API to replace the proxy certificate with a certificate signed by your third-party CA.
-
To configure and enable OCSP, send a
PUT
request to the/v1/ocsp
endpoint and include an OCSP JSON object in the request body:{ "ocsp_functionality": true, "query_frequency": 3600, "response_timeout": 1, "recovery_frequency": 60, "recovery_max_tries": 5 }
rladmin
method
To set up OCSP stapling with the rladmin
command-line utility:
-
Use
rladmin
to replace the proxy certificate with a certificate signed by your third-party CA. -
Update the cluster’s OCSP settings with the
rladmin cluster ocsp config
command if you don’t want to use their default values.For example:
rladmin cluster ocsp config recovery_frequency set 30
-
Enable OCSP:
rladmin cluster ocsp config ocsp_functionality set enabled