Choosing OCSP cache time

Hi!

I'm configuring OCSP cache timeout with my Apache server. The default value is 1 hour which seems a bit low. I've not seen any recommendation on OSCP cache timeout during my searches but when I read ISRG CP v3.0 - Let's Encrypt it says:

Effective 2020-09-30:

OCSP responses MUST have a validity interval greater than or equal to eight hours;
OCSP responses MUST have a validity interval less than or equal to ten days;
For OCSP responses with validity intervals less than sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol prior to one-half of the validity period before the nextUpdate.
For OCSP responses with validity intervals greater than or equal to sixteen hours, then the CA SHALL update the information provided via an Online Certificate Status Protocol at least eight hours prior to the nextUpdate, and no later than four days after the thisUpdate.

Does this mean I should use 8 hours or 10 days? I assume my server will understand the OCSP response timeout and refresh earlier then my cache timeout is it is lower?

What implications are there if I use too long vs too short?

I believe these numbers are for the actual OCSP response themselves.

As far as I know, Let's Encrypt uses an OCSP response lifetime of 7 days. Note that the OCSP responses of Let's Encrypt are cached by the CDN, so trying to fetch one doesn't really add a lot of load on the LE systems, just network traffic for the CDN.

I decided to cache the response for 3 days. Thanks.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.