Hello everyone! I have an java 7 web app running on tomcat 7 with APR/tomcat-native ON Linux .(OpenSSL 1.1.1) I would like to enable OCSP stapling on tomcat so that When OCSP is enabled, a server will pre-fetch the OCSP response for its own certificate and deliver the response to the user's browser during the TLS handshake. This eliminates the need to make a separate connection to the CA's revocation service before the Web page is displayed, improving the page's performance and reliability. I did search the mailing list and found this question https://www.mail-archive.com/users@tomcat.apache.org/msg129303.html but that user is using JSSE implementation for TLS not APR documentation for tomcat7 does have an example
Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" secure="true" scheme="https" SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt" SSLCertificateKeyFile="/path/to/ocsp-cert.key" SSLCACertificateFile="/path/to/ca.pem" SSLVerifyClient="require" SSLVerifyDepth="10" clientAuth="true"/> but that is for client-cert verification, Can we do it on server side? or do I miss something on how ocsp is supposed to work in the first place?
