Jump to content


OCSP Stapling

Started by Lee Sautia , 13 August 2014 - 06:07 PM
5 replies to this topic

Lee Sautia Members

Lee Sautia
  • 1 posts

Posted 13 August 2014 - 06:07 PM

Hi All,


I've been looking at the Netscaler reference and I'm trying to figure out if it's possible to configure a vsever that does OCSP Stapling. Our current situation is such where the client browser incurs 50-70 msec just to confirm cert revocation status with our provider.


I'm looking at this documentation http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-ssl-config-ocsp-responder-tsk.html but, this sounds more like the netscaler is caching an OCSP response for some service it may proxy downstream.

Andrew Sandford Citrix Employees

Andrew Sandford
  • 1,028 posts

Posted 14 August 2014 - 07:04 AM

Hi Lee,


We do not support OCSP Stapling at this time.


You may open a product enhancement request with Citrix Support for this feature.





Rohit Shetty Members

Rohit Shetty
  • 2 posts

Posted 24 February 2016 - 11:39 AM

Dear All,


Any update on when this feature will be made available.


Thanks & Regards,


Pankaj Kumar Citrix Employees

Pankaj Kumar
  • 8 posts

Posted 07 March 2016 - 04:58 PM

Dear All,


Any update on when this feature will be made available.


Thanks & Regards,


Hi Rohit, 


We are developing this feature and shall be available by the end of the year.




Darren Bennett Members

Darren Bennett
  • 11 posts

Posted 12 October 2016 - 10:23 AM

Courtesy of Ronan O'Brien (Citrix) on the User Groups forum:  (note this is for 11.1+

The caching of the OCSP responses is part of the OCSP responder configuration, and there are only two settings:

1) Turn it on or off
2) How long do you want to cache the OCSP response


add ssl ocspResponder -url [-cache ( ENABLED | DISABLED )[-cacheTimeout ] 

There is nothing else you have to do! No content groups, policies etc. All that is baked into the OCSP resonder config. 





Claus Jan Harms Members

Claus Jan Harms
  • 5 posts

Posted 03 January 2017 - 08:01 AM

Since this feature is now available in the new NetScaler 11.1 Build 51.21 Release I tried to configure it on a SSL Content Switch but no luck so far. https://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-11-1-ocsp-stapling-solution.html


Either via SSL Profiles or SSL Parameters I can't seem to get it to work. Anyone else tried it yet and succeeded? 


I also tried playing around with the Settings of the new "INTERNAL_" OCSP Responder created for the specific Server Certificate.