Enable OCSP Stapling on Nginx
Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, it is a standard for checking the revocation status of X.509 digital certificates
Table of contents
Install pki-ocsp
package
sudo apt-get upgrade
sudo apt-get install pki-ocsp
Uninstall pki-ocsp
package
sudo apt-get remove pki-ocsp
sudo apt-get -y autoremove pki-ocsp
sudo apt-get -y purge pki-ocsp
Enabling OCSP
on Nginx
- Add below inside the
server { ... }
block.
ssl_stapling on;
ssl_stapling_verify on;
- Sample server
server {
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Let's encrypt issued cert
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.comm/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
}
Using OpenSSL
to check OCSP
is effective
openssl s_client -connect example.com:443 -status | grep 'OCSP response:'
- If using Reverse Proxy, check the server response
openssl s_client -connect 192.25.25.0:443 -servername example.com -status | grep 'OCSP response:'