diff --git a/freeipa.spec.in b/freeipa.spec.in
index d7353015a..08b293c05 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -199,6 +199,7 @@ BuildRequires:  python-nose
 BuildRequires:  python-paste
 BuildRequires:  systemd-python
 BuildRequires:  python2-jinja2
+BuildRequires:  python-augeas
 
 %if 0%{?with_python3}
 # FIXME: this depedency is missing - server will not work
@@ -236,6 +237,7 @@ BuildRequires:  python3-nose
 BuildRequires:  python3-paste
 BuildRequires:  python3-systemd
 BuildRequires:  python3-jinja2
+BuildRequires:  python3-augeas
 %endif # with_python3
 %endif # with_lint
 
@@ -359,6 +361,7 @@ Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 Requires: pki-base-python2
+Requires: python-augeas
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -388,6 +391,7 @@ Requires: python3-pyasn1
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
+Requires: python3-augeas
 Requires: rpm-libs
 Requires: pki-base-python3
 
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d16848129..b661b82b8 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+    api.finalize()
+
+    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+    nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+    # Add trust flag which set certificate trusted for SSL connections.
+    db.trust_root_cert(nickname, "P,,")
+
     syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
     try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53bc..ab688a85f 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@ import pipes
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ class HTTPInstance(service.Service):
                   self.set_mod_nss_protocol)
         self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
         self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+        self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
         self.step("adding URL rewriting rules", self.__add_include)
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ class HTTPInstance(service.Service):
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+    def enable_mod_nss_ocsp(self):
+        aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+        aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+        aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+        aug.load()
+
+        path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+
+        ocsp_comment = aug.get(
+                        '{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+        ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+        if ocsp_dir is None and ocsp_comment is not None:
+            # Directive is missing, comment is present
+            aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+                    'NSSOCSP')
+            aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+        elif ocsp_dir is None:
+            # Directive is missing and comment is missing
+            aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+        aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+        aug.save()
+
     def set_mod_nss_cipher_suite(self):
         ciphers = ','.join(NSS_CIPHER_SUITE)
         installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -351,6 +378,7 @@ class HTTPInstance(service.Service):
                           create=True)
         self.disable_system_trust()
         self.create_password_conf()
+
         if self.pkcs12_info:
             if self.ca_is_configured:
                 trust_flags = 'CT,C,C'
@@ -375,6 +403,8 @@ class HTTPInstance(service.Service):
             self.__set_mod_nss_nickname(nickname)
             self.add_cert_to_service()
 
+            db.trust_root_cert(nickname, "P,,")
+
         else:
             if not self.promote:
                 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 9aec2d857..7b0476d44 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1392,6 +1392,24 @@ def fix_trust_flags():
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
+def fix_server_cert_trust_flags():
+    root_logger.info(
+        '[Fixing server certificate trust flags in %s]' %
+        paths.HTTPD_ALIAS_DIR)
+
+    if sysupgrade.get_upgrade_state('http', 'fix_serv_cert_trust_flags'):
+        root_logger.info("Trust flags already processed")
+        return
+
+    db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+    sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
+                                             "NSSNickname")
+    # Add trust flag which set certificate trusted for SSL connections.
+    db.trust_root_cert(sc_nickname, "P,,")
+
+    sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
+
+
 def update_mod_nss_protocol(http):
     root_logger.info('[Updating mod_nss protocol versions]')
 
@@ -1404,6 +1422,11 @@ def update_mod_nss_protocol(http):
     sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
 
 
+def enable_mod_nss_ocsp(http):
+    root_logger.info('[Updating mod_nss enabling OCSP]')
+    http.enable_mod_nss_ocsp()
+
+
 def update_mod_nss_cipher_suite(http):
     root_logger.info('[Updating mod_nss cipher suite]')
 
@@ -1671,7 +1694,9 @@ def upgrade_configuration():
     update_ipa_httpd_service_conf(http)
     update_mod_nss_protocol(http)
     update_mod_nss_cipher_suite(http)
+    enable_mod_nss_ocsp(http)
     fix_trust_flags()
+    fix_server_cert_trust_flags()
     update_http_keytab(http)
     http.configure_gssproxy()
     http.start()
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index f48cef4b2..96af1a7e8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -61,6 +61,7 @@ if __name__ == '__main__':
             "pyasn1",
             "requests",
             "six",
+            "python-augeas",
         ],
         entry_points={
             'custodia.authorizers': [