Image by Frantisek Krejci from Pixabay

OCSP Stapling with relayd

Online Certificate Status Protocol (OCSP) stapling is a standard for checking certificate revocation. Most commonly deployed on web servers using TLS and required if you’re aiming for an A+ on Qualys SSL Server Test. Even better, CloudFlare reports connection time improvement by up to 30% in some cases. [0]

The following is based on OpenBSD 6.7.

man relayd.conf

An optional OCSP staple file will be used during TLS handshakes with this server if it is found as a non-empty file in /etc/ssl/name:port.ocsp or /etc/ssl/name.ocsp. The file should contain a DER-format OCSP response retrieved from an OCSP server for the certificate in use, and can be created using ocspcheck(8).

Recommended deployment of relayd is to listen on 127.0.0.1 and use pf rdr-to rules to get traffic to it. This means the OCSP stapling file should be saved as: /etc/ssl/127.0.0.1:443.ocsp

Updating OCSP Staple File

References:
[0] https://blog.cloudflare.com/high-reliability-ocsp-stapling/