Question
Is it possible to enable OCSP Stapling for a domain in Plesk?
Answer
For Plesk Onyx 17.8 and Obsidian for Linux
Note: This feature requires nginx to be installed and enabled: How to install and enable nginx reverse proxy on a Plesk for Linux server
Note: The certificate installed on the domain must contain both root certificate and all the intermediate certificates.
-
Install SSL It! extension in Extensions menu.
-
Navigate to Domains > example.com > Hosting Settings and make sure SSL/TLS support is enabled.
-
Navigate to Domains > example.com > SSL/TLS Certificates.
-
Click on the OCSP Stapling button:
For Plesk Onyx 17.5 and below
Note: The certificate installed on the domain must contain both root certificate and all the intermediate certificates.
In case nginx is used:
-
Navigate to Plesk > Domains > example.com > Apache & nginx Settings and add the following configuration to the Additional nginx directives field:
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
In case nginx is not installed, or not running:
-
Connect to the server via SSH.
-
Add following string to
/etc/httpd/conf.d/ssl.conffile:SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
-
Navigate to Plesk > Domains > example.com > Apache & Nginx Settings and add the following configuration to Additional directives for HTTPS field:
SSLUseStapling on
In order to test whether OCSP stapling works properly on the domain, use the following command:
# echo QUIT | openssl s_client -connect example.com:443 -servername example.com -status 2>/dev/null | grep -A 17 'OCSP'