How to enable Online Certificate Status Protocol (OCSP) Stapling in Nginx

0 Flares Filament.io 0 Flares ×

Generally when you access a secure site (HTTPS) browser has to create another request to specific certificate revocation server known as OCSP Responder to verify whether the certificate is revoked or not, due to this some browsers (Chrome etc) does not implement OCSP because of this overhead.

By implementing OCSP Stapling you can replace the role of your OCSP Responder by letting the your web server to periodically query the OCSP Responder itself and then serve client both certificate and the proof that certificate is not revoked.

To enable OCSP Stapling in Nginx add following lines under your SSL listener.

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/sub.class1.server.ca.pem;

ssl_trusted_certificate should contain your intermediate certificates followed by your Root CA.

Once OCSP Stapling is properly configured you can verify it online by SSL Labs or OpenSSL.

echo QUIT | openssl s_client -connect azfarhashmi.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

If you see any result then OCSP Stapling is working fine. Don’t forget to replace ‘azfarhashmi.com‘ with your own domain.

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Google+ 0 Filament.io 0 Flares ×

Leave a Reply

Your email address will not be published. Required fields are marked *