0

Windows Server 2022
Apache x64 2.4.57
OpenSSL 3.0.8

My Apache SSL conf has this:

SSLUseStapling On
SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(65536)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600

But https://entrust.ssllabs.com/ reports this:

enter image description here

Is there some setting I am missing?

MonkeyZeus
  • 260
  • 1
  • 12

1 Answers1

3

In the images the properties of the certificate are shown. OCSP Must Staple is a property of the certificate, i.e. that the certificate should only be used together with OCSP stapling - see here for more information on this and how to create such certificates.

The configuration of the server you show instead shows how to make OCSP stapling work with the Apache web server. It does not affect the OCSP Must Staple property of the certificate and thus does not affect the display of the certificate properties either. But if you use a certificate with this property and don't have OCSP stapling enabled in the web server, then the TLS handshake will fail if the client enforces this certificate property.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Excellent answer, thank you. I was beginning to suspect that this had something to do with the certificate itself. I wish https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusestapling had even a small sentence stating this relationship between the Apache directive and the cert. – MonkeyZeus May 31 '23 at 12:05