IIS 7 and Above
Known Issues and Workarounds
Enabling OCSP stapling on IIS SNI-enabled site
Last post Sep 27, 2016 08:20 AM by Jean Sun
Sep 02, 2016 11:07 PM|franzom|LINK
If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.
This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using
https://www.ssllabs.com/ssltest/ or openssl:
openssl s_client -connect foobar.com:443 -servername foobar.com -tls1 -tlsextdebug -status
Does anyone have a workaround for this so that clients of SNI-enabled sites can enjoy the benefits of OCSP stapling?
Sep 05, 2016 09:46 AM|Yuk Ding|LINK
According to the blog
we could know that the OCSP stapling is enabled by default while you do not even know it. Besides, you need to allow your webserver to communicate with the OCSP responder before it works.
Sep 12, 2016 08:36 PM|franzom|LINK
Thanks Yuk, but your answer is unhelpful.
Try it yourself!
1. Set up a site without SNI ticked
2. Confirm that OCSP stapling is working.
3. Tick SNI
4. See that OCSP stapling is no longer working.
Sep 27, 2016 08:20 AM|Jean Sun|LINK
It seems that you can't use SNI and OCSP stapling at the same time.
OCSP Stapling is supported by default since Windows Server 2008. There is no need to enable it manually anywhere. The thing you should know is that OCSP stapling works
ONLY for the primary certificate for the IP address and domain name a certificate is issued for/pointed to.
After a certificate is installed, you need to explicitly tell the server that the certificate you would like to have OCSP stapling configured for, does not require
Server Name Indication (SNI).
Picked from : https://www.namecheap.com/support/knowledgebase/article.aspx/9602/0/ocsp