Link Search Menu Expand Document

Enable OCSP Stapling on Nginx

Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, it is a standard for checking the revocation status of X.509 digital certificates

Table of contents

Install pki-ocsp package

sudo apt-get upgrade
sudo apt-get install pki-ocsp

Uninstall pki-ocsp package

sudo apt-get remove pki-ocsp
sudo apt-get -y autoremove pki-ocsp
sudo apt-get -y purge pki-ocsp

Enabling OCSP on Nginx

  • Add below inside the server { ... } block.
ssl_stapling on;
ssl_stapling_verify on;
  • Sample server
server {
    listen 443 ssl;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Let's encrypt issued cert 
    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/example.comm/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/;

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;

Using OpenSSL to check OCSP is effective

openssl s_client -connect -status | grep 'OCSP response:'
  • If using Reverse Proxy, check the server response
openssl s_client -connect -servername -status | grep 'OCSP response:'