Setting up OCSP for MS Windows Server

Question

How do I set up an OCSP for server based on Microsoft Windows Server?

Answer

Enable OCSP Stapling on Windows Server:

1. Ensure you are using Windows Server 2008 or above.

  • Windows Server 2008 and above – OCSP Stapling is enabled by default. 

  • Versions below 2008 do not support OCSP Stapling.

Please upgrade to Windows Server 2008 or later to enable OCSP Stapling.

2.Check whether OCSP stapling is already enabled or not:

openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status
  • Scroll down to "OCSP response:"

  • If OCSP is enabled, the “OCSP Stapling” is
OCSP Response Status: successful (0x0)
  • If OCSP is not enabled, you won’t see any OCSP Response Data:

OCSP response: no response sent

If you see the ‘No response sent’ message and are using Windows Server 2008 or above, then it is possible you need to (re)enable OCSP stapling. Please consult Microsoft’s documentation for help.

3. If you are still having issues, please check your Windows Server 2008+  can connect to Comodo’s OCSP servers at the following locations:

DNS HOSTNAME(S) Destination IP Port
OCSP.ComodoCA.com
OCSP.usertrust.com
178.255.83.1 or 2a02:1788:2fd::b2ff:5301 Tcp/80
For example, if you use telnet, use the following command:
telnet OCSP.ComodoCA.com 80

If the test is successful the reply will state ‘Connected to OCSP.ComodoCA.com’ for at least one of the ‘Destination IP’ addresses in the table above.

If the connection test is unsuccessful please make the required network changes to allow your server to connect to our OCSP servers. Once complete, we advise you to re-run the test in step 2 to establish whether OCSP stapling is now enabled.

Was this article helpful?
Additional questions? Submit a request