With haproxy 1.5 finally being released we are lucky enough to get a basic interface around OCSP stapling.

Sadly this interface really is quite basic and it’s not the simplest thing to figure out without some trial and error.

According to the official documentation, you should be able to pipe your OCSP response to haproxy via it’s stats socket. Sadly I could not get this to work properly at all, so I decided to swap the piping for a file and reload solution.

You’ll need to get a copy of your certification authorities root certificate to proceed with this.

Looking for your OCSP URI

If you don’t know the URI you need to do an OCSP lookup against, you can find it in your certificate data.

openssl x509 -in /path/to/your/certificate -text

Inside the output, look for the following section.

Authority Information Access …