Enable OCSP stapling and handle OCSP server downtime

Uses: Kong Gateway
TL;DR

How do I Enable OCSP Stapling and Handle OCSP Server Downtime?

Set KONG_NGINX_PROXY_SSL_STAPLING=on, KONG_NGINX_PROXY_SSL_STAPLING_VERIFY=on, and KONG_NGINX_PROXY_SSL_TRUSTED_CERTIFICATE to the issuer certificate chain. If the OCSP responder is unavailable, Kong Gateway skips stapling but the TLS handshake still succeeds.

Steps

Enabling OCSP (Online Certificate Status Protocol) Stapling in Kong Gateway is crucial for enhancing the security of your server-client communications. OCSP Stapling allows the server to provide a timestamped OCSP response from the Certificate Authority to the client during the TLS handshake, proving the certificate’s validity. This process reduces the client’s need to contact the CA, improving privacy and performance.

To configure OCSP Stapling in Kong Gateway, you need to set specific environment variables in your Kong Gateway configuration. These variables are:

KONG_NGINX_PROXY_SSL_STAPLING=on
KONG_NGINX_PROXY_SSL_STAPLING_VERIFY=on

Additionally, to ensure the OCSP response is validated correctly, you should include the complete certificate chain of the issuer for the server certificate whose OCSP response we are validating. This can be achieved by setting the following variables:

KONG_NGINX_PROXY_SSL_TRUSTED_CERTIFICATE=/path/to/issuer-ca-chain.pem

It’s important to note that if Kong is unable to retrieve the OCSP response from the responder, it will not staple the response in the TLS handshake. However, the handshake will still succeed, and the connection will be established as expected. This behavior ensures that your service remains accessible even if the OCSP server is temporarily unavailable.

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!