How to Check the OCSP Response Data of an SSL Website

If you’re curious on how the OCSP stapling really works on your website, you come to a point that you do a lot of research before implementing in on your production. Let’s say you already have a testing website with the OCSP stapling enabled, the last thing you need to do is to verify if its working.

If you don’t know how to enable OCSP stapling in nginx, you can easily do that by using this command:

sudo certbot --nginx --must-staple -d yourwebsite -d www.yourwebsite.com

And don’t forget to add a resolver (eg: resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;) in your configuration to avoid getting this error:

no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/etc/letsencrypt/live/codefaq.org/fullchain.pem"

How to Check OCSP Response Data

There are ways to check if your OCSP Stapling works properly, this is by using the querying from openssl command in your server’s SSH.

To do that, open up your SSH server: ssh -o ServerAliveInterval=30 root@your_server.com.

Then fire up this openssl command to view the “OSCP response data”.

openssl s_client -connect codefaq.org:443 -status | awk -n '/OCSP response:/,/---/'

You should see an example output below:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Mar 15 06:14:00 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03ECED50753D65857C058469590A14CB0E6A
    Cert Status: good
    This Update: Mar 15 06:00:00 2020 GMT
    Next Update: Mar 22 06:00:00 2020 GMT

    Signature Algorithm: sha256WithRSAEncryption
         7a:3f:ff:81:86:44:e1:d5:41:45:03:cb:3f:a7:18:43:cd:e9:
         22:1b:3e:c6:c9:8b:d2:1a:ed:7c:ba:fb:19:66:1e:e3:a4:bf:
         42:72:bf:94:ad:15:41:16:f7:ad:3a:b7:9c:74:9d:74:fb:d4:
         da:a9:eb:2f:f4:33:16:69:b9:ec:05:c6:6b:05:2e:e4:8b:76:
         ac:39:bc:64:ce:97:fb:95:e7:cc:0e:ed:bd:09:3d:58:47:a5:
         62:44:66:ae:84:35:61:6d:8d:c8:17:3b:bf:a5:c2:a7:f3:ee:
         3e:65:aa:e0:f3:c9:80:11:32:81:93:3b:66:b3:96:6c:91:37:
         84:6d:1f:25:77:59:49:38:23:39:56:0e:fd:fc:b3:3c:fc:00:
         07:09:58:a5:10:03:84:96:ea:91:bc:ad:07:b7:13:1c:a0:a0:
         f9:e4:f6:08:eb:6e:03:51:3f:f6:e3:34:93:9d:ad:01:9e:3b:
         71:8b:50:6e:74:5f:c5:7c:bb:19:ac:cc:5d:fc:2f:af:7e:7c:
         61:46:6a:04:aa:73:c1:92:b6:5e:81:71:34:d3:7e:08:84:87:
         64:22:cc:c8:91:0d:7e:73:09:85:49:d6:e2:e8:a3:99:e0:90:
         2d:93:aa:13:e6:ef:6c:ab:0a:49:0f:35:83:94:74:54:db:b0:
         c2:e9:40:93
======================================
---

This means your OCSP stapling works.

Leave a Comment