Question
How do I set up an OCSP for server based on Microsoft Windows Server?
Answer
Enable OCSP Stapling on Windows Server:
1. Ensure you are using Windows Server 2008 or above.
-
Windows Server 2008 and above – OCSP Stapling is enabled by default.
-
Versions below 2008 do not support OCSP Stapling.
Please upgrade to Windows Server 2008 or later to enable OCSP Stapling.
2.Check whether OCSP stapling is already enabled or not:
-
Use openssl command:
openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status
OCSP Response Status: successful (0x0)
-
If OCSP is not enabled, you won’t see any OCSP Response Data:
OCSP response: no response sent
If you see the ‘No response sent’ message and are using Windows Server 2008 or above, then it is possible you need to (re)enable OCSP stapling. Please consult Microsoft’s documentation for help.
3. If you are still having issues, please check your Windows Server 2008+ can connect to Comodo’s OCSP servers at the following locations:
DNS HOSTNAME(S) | Destination IP | Port |
OCSP.ComodoCA.com OCSP.usertrust.com |
178.255.83.1 or 2a02:1788:2fd::b2ff:5301 | Tcp/80 |
telnet OCSP.ComodoCA.com 80
If the test is successful the reply will state ‘Connected to OCSP.ComodoCA.com’ for at least one of the ‘Destination IP’ addresses in the table above.
If the connection test is unsuccessful please make the required network changes to allow your server to connect to our OCSP servers. Once complete, we advise you to re-run the test in step 2 to establish whether OCSP stapling is now enabled.