How to enable OCSP stapling in Apache

OCSP stapling improves HTTPS performance and privacy by sending certificate revocation status during the TLS handshake, avoiding extra client-side requests to a certificate authority’s OCSP responder. It reduces connection latency on high-RTT networks and lowers the impact of OCSP responder outages.

With stapling enabled, Apache (mod_ssl) fetches an OCSP response for the active server certificate, stores it in a shared cache, and “staples” the cached response to the handshake when a client requests status. A shared cache is required so multiple worker processes can reuse the same response instead of each process re-querying the responder.

Commands and paths target the apache2 layout used on Ubuntu and Debian (/etc/apache2, a2enmod, systemctl restart apache2). Stapling requires outbound access to the OCSP responder URL embedded in the certificate (commonly HTTP on port 80) and a complete issuer chain; missing chain files or blocked egress usually results in no response sent. Certificates that include the TLS Feature must-staple extension can cause hard client failures if the server cannot staple a fresh, valid response.

Steps to enable OCSP stapling in Apache:

Open a terminal with sudo privileges.
```
$ whoami
user
```

Enable the ssl and socache_shmcb modules.

$ sudo a2enmod ssl socache_shmcb
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
Module socache_shmcb already enabled

On RHEL-style systems the service is typically httpd and module loading is handled by files under /etc/httpd/conf.modules.d.

Create a global mod_ssl stapling configuration snippet.

$ sudo tee /etc/apache2/conf-available/ocsp-stapling.conf >/dev/null <<'EOF'
SSLStaplingCache "shmcb:/var/run/apache2/stapling_cache(128000)"
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
EOF

SSLStaplingCache must be in global server context, not inside a `<VirtualHost>` block.

Enable the stapling configuration snippet.

$ sudo a2enconf ocsp-stapling
Enabling conf ocsp-stapling.
To activate the new configuration, you need to run:
  systemctl reload apache2

Add SSLUseStapling to each SSL virtual host that should staple OCSP responses.

<VirtualHost *:443>
    ServerName host.example.net
 
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
 
    SSLUseStapling on
</VirtualHost>

must-staple certificates can fail hard in supporting clients if a valid stapled response is not delivered.

Confirm the configured certificate exposes an OCSP responder URL.
```
$ openssl x509 -in /etc/apache2/ssl/apache.crt -noout -ocsp_uri
http://ocsp.example-ca.test:8888
```
No output typically indicates no OCSP URL in the certificate.
Test the Apache configuration for syntax errors.
```
$ sudo apache2ctl -t
Syntax OK
```
Related: How to test your Apache configuration
Restart the apache2 service to apply the changes.
```
$ sudo systemctl restart apache2
```
Related: How to manage the Apache web server service

Check the service status for a clean start.

$ sudo systemctl status apache2 --no-pager --full --lines=8
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-01-10 20:11:46 +08; 10ms ago
##### snipped #####

Confirm that the server is stapling an OCSP response during the TLS handshake.

$ openssl s_client -connect host.example.net:443 -servername host.example.net -status < /dev/null
CONNECTED(00000003)
##### snipped #####
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
##### snipped #####

Seeing OCSP response: no response sent typically indicates a missing issuer chain, blocked outbound HTTP to the responder, or a certificate without an OCSP URL.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.