Enable Online Certificate Status Protocol (OCSP) - Certificate Stapling

It may appear allowing the site operator to control verification responses would enable a fraudulent site to issue false verification for a revoked certificate. However, the site certificate stapled responses can't be forged if they are signed by the certificate authority (CA), not the server itself (Self Signed Certificates). If the client does not receive a stapled response from the certificate authority (CA), the client will contact the OCSP server on its own. If the client receives an invalid stapled response in any case, the connection to the intended end point will be terminated. The only risk of OCSP stapling is the notification of revocation for a certificate may be delayed until the last-signed OCSP response expires. (Cached on client machine from last visit)

As a result, clients continue to have verifiable assurance from the certificate authority the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means client software no longer needs to disclose users' browsing habits to any third party.

Overall performance is also improved: When the client fetches the OCSP response directly from the CA, it usually involves the lookup of the domain name of the CA's OCSP server from global DNS in order to establish a connection to the OCSP server. When OCSP stapling is used, the certificate status information is delivered to the client through an already established channel, reducing overhead and improving performance - Wikipedia

Global use of the OCSP for all sites using Apache (Preferred Method)

 Copynano /etc/apache2/mods-enabled/ssl.conf

Add the following blue lines below into the ssl.conf under the Pseudo Random Number Generator (PRNG) section.

This will allow for the global use of the DHParam and allow us to determine what Elliptical Curves we use to use in order.

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
SSLOpenSSLConfCmd Options -SessionTicket     <--- Not allow people to reconnect insecurely
SSLCompression off     <--- Do not allow compression to prevent CRIME attack
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"     <--- Allow all sites to use the DHParam globally instead of being putting every website configuration file
SSLOpenSSLConfCmd ECDHParameters secp384r1     <--- This will be the preferred curve we want when people come to our site
SSLOpenSSLConfCmd Curves secp521r1:X448:X25519:secp384r1    <--- What curves we are allowing to be used on our site

 Copy
SSLOpenSSLConfCmd Options -SessionTicket
SSLCompression off 
SSLOpenSSLConfCmd DHParameters  "/etc/apache2/ssl/dhparam.pem"
SSLOpenSSLConfCmd ECDHParameters secp384r1 
SSLOpenSSLConfCmd Curves secp521r1:X448:X25519:secp384r1

Change or uncomment the following blue lines under the Inter-Process Session Cache section in the ssl.conf

 Copy
SSLSessionCache               shmcb:/run/apache2/sslcache(512000)
SSLSessionCacheTimeout        60
SSLStaplingCache              "shmcb:logs/stapling-cache(150000)"

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Add/Change the following blues lines in the Website config file

 Copynano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
        SSLEngine on
        SSLCertificateFile         /etc/apache2/ssl/www_EXAMPLE_com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/rsa_EXAMPLE.key      or     ec_EXAMPLE.key
        SSLCertificateChainFile /etc/apache2/ssl/EXAMPLE_CA.crt
        SSLUseStapling on
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors off
        SSLCACertificatePath /etc/ssl/certs/
        #SSLCACertificateFile /etc/apache2/ssl/
...............
    </VirtualHost>
</IfModule>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart Apache

 Copysystemctl restart apache2

Local use in the Apache Website config file (Alternative Method)

 Copynano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>

      SSLSessionCache                          shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
      SSLSessionCacheTimeout             60
      SSLStaplingCache                          "shmcb:logs/stapling-cache(512000)"

    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile         /etc/apache2/ssl/www_EXAMPLE_com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/rsa_EXAMPLE.key      or     ec_EXAMPLE.key
        SSLCertificateChainFile /etc/apache2/ssl/EXAMPLE_CA.crt
        SSLUseStapling on
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors off
        SSLOpenSSLConfCmd Options -SessionTicket
        SSLCompression off
        SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"
        SSLOpenSSLConfCmd ECDHParameters secp384r1
        SSLOpenSSLConfCmd Curves secp521r1:X448:25519:secp384r1
...............
    </VirtualHost>
</IfModule>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart Apache

 Copysystemctl restart apache2