Enabling OCSP (Online Certificate Status Protocol) Stapling in Kong Gateway is crucial for enhancing the security of your server-client communications. OCSP Stapling allows the server to provide a timestamped OCSP response from the Certificate Authority to the client during the TLS handshake, proving the certificate’s validity. This process reduces the client’s need to contact the CA, improving privacy and performance.
To configure OCSP Stapling in Kong Gateway, you need to set specific environment variables in your Kong Gateway configuration. These variables are:
KONG_NGINX_PROXY_SSL_STAPLING=on
KONG_NGINX_PROXY_SSL_STAPLING_VERIFY=onAdditionally, to ensure the OCSP response is validated correctly, you should include the complete certificate chain of the issuer for the server certificate whose OCSP response we are validating. This can be achieved by setting the following variables:
KONG_NGINX_PROXY_SSL_TRUSTED_CERTIFICATE=/path/to/issuer-ca-chain.pemIt’s important to note that if Kong is unable to retrieve the OCSP response from the responder, it will not staple the response in the TLS handshake. However, the handshake will still succeed, and the connection will be established as expected. This behavior ensures that your service remains accessible even if the OCSP server is temporarily unavailable.