Re: [users@httpd] mod_md usage for OCSP stapling

Mon, 30 Mar 2020 00:25:13 -0700 

Steffen described the way to do it where you get the most benefits (thanks!). 
However, you not need to declare "MDomain"s for all your certificates. You can 
also just configure

MDStapling on

and *all* the certificates in your Apache will be stapled by mod_md.

more details: see 
<https://github.com/icing/mod_md#how-to-staple-all-my-certificates>


Cheers, Stefan


> Am 28.03.2020 um 11:28 schrieb Steffen <i...@apachelounge.com.INVALID>:
> 
> Yep very nice. In mod_status you can see :
> 
> Managed Staplings
> 
> Domain        Certificate ID  OCSP Status     Stapling Valid  Responder       
> Activity
> domain.com    3ff13e35fbe9d1ce4bcafbc3fd2ccd6ff5079eca              good      
> until 2020-04-03        ocsp.int-x3.letsencrypt.org     Refresh in ~3 days
> 
> Try in global conf:
> 
> <MDomain domain.com www.domain.com ......> 
> MDCertificateFile conf/domain.com-chain.pem
> MDCertificateKeyFile conf/domain.com-key.pem 
> MDStapling on
> </MDomain>
> 
> MDMessageCmd c:/apache24/bin/MDMessageCmd.bat 
> MDNotifyCmd  c:/apache24/bin/MDNotifyCmd.bat
> 
> And Remove  the directives
> 
> SSLCertificateFile .....chain.pem
> SSLCertificateKeyFile ......key.pem 
> 
> See in the Readme.md the above directives.
> 
> The info is stored in MDStoreDir/ocsp
>  
> On Friday 27/03/2020 at 11:25, Marek Svent wrote:
>> Hi,
>> 
>> From 2.4 changelog I read that from next 2.4 release it's possible to
>> use mod_md OCSP stapling even for certificates not managed by mod_md.
>> It's very welcome as there is too many problems with mod_ssl stapling
>> code. However it's not clear for me how this could be configured.
>> 
>> I have many virtual hosts and none of the certificates is managed by
>> mod_md. However I'd like to switch to mod_md for stapling, but
>> continue to control per virtual host whether to staple at all. How do
>> I configure this?
>> 
>> Also it's unclear where stapling information is stored. MDStoreDir?
>> 
>> Regards,
>> 
>> -- 
>> Marek
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to