Instructions for Enabling OCSP Stapling on Your Nginx Server
For more information about the Online Certificate Status Protocol (OCSP) and the benefits of OCSP stapling, see Enable OCSP Stapling on Your Server.
Nginx: How to Enable OCSP Stapling
These instructions were created using Nginx 1.6.2. Depending on which version of Nginx you are using, you may need to modify these instructions accordingly.
Check your version of Nginx
Nginx supports OCSP stapling in 1.3.7+.
To see which version of Nginx you are running, use following command:
nginx -v
Check if OCSP stapling is enabled.
To see if OCSP stapling is enabled, do one of the following:
Check with the DigiCert® SSL Installation Diagnostic Tool
Go to https://www.digicert.com/help and in the Server Address box, type in your server address (i.e. www.digicert.com).
If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.
If OCSP stapling is not enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Not Enabled, and you now need to see if the Intermediate Certificate is properly installed.
Check using OpenSSL
Enter the following command:
openssl.exe s_client -connect [yoursite.com]:443 -status
If OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:
OCSP Response Status: successful (0x0)
If OCSP stapling is not enabled, you will not see any OCSP Response Data, and you now need to see if the Intermediate Certificate is properly installed.
Check that the Intermediate Certificate is properly installed.
Before you can enable OCSP stapling on your Nginx server, the Intermediate Certificate must be properly installed.
To see if the intermediate certificate is properly installed, go to https://www.digicert.com/help and in the Server Address box, type in your server address (i.e. www.digicert.com).
Under Certificate Name matches…, you should see your Server Certificate and the Intermediate Certificate.
If the server is not sending the required intermediate certificate, you will need to configure it in the “ssl_certificate” line of your SSL configuration. See Nginx SSL Certificate Installation.
Verify the Nginx server’s connection to the OCSP server.
Enter the following command:
curl ocsp.digicert.com/ping.html
You should receive the “You have successfully reached the DigiCert OCSP Service” message.
If you don’t have curl installed, try using the wget command:
wget ocsp.digicert.com/ping.html
If it downloads the page, you are connected. To view the contents of the page, enter the following command:
cat ping.html
You should receive the “You have successfully reached the DigiCert OCSP Service” message.
Configure your Nginx server to use OCSP Stapling.
Use the following instruction to enable OCSP stapling on your Nginx server after verifying that it supports OSCP stapling and can connect to the OCSP server.
Edit your site’s SSL configuration file.
Add the following directives INSIDE the “server { }” block:
ssl_stapling on;
ssl_stapling_verify on;For example:
server
{}listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/your_domain_name.key;ssl_stapling on;
ssl_stapling_verify on;(Optional) Add a DNS resolver for stapling.
Add a DNS resolver for stapling so that the resolver defaults to Google’s DNS.
resolver 8.8.4.4 8.8.8.8;
If this line isn’t added, the resolver defaults to the server’s DNS default.
Check the configuration for errors with Ngnix.
nginx -t
Reload the Nginx.
systemctl restart nginx
Verify that OCSP stapling is now enabled.
To see if OCSP stapling is enabled, do one of the following:
Check with the DigiCert® SSL Installation Diagnostic Tool
Go to https://www.digicert.com/help and in the Server Address box, type in your server address (i.e. www.digicert.com).
If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.
Check using OpenSSL
Enter the following command:
openssl.exe s_client -connect [yoursite.com]:443 -status
If OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:
OCSP Response Status: successful (0x0)
Additional Enabling OCSP Stapling Instructions
Apache: Enabling OCSP Stapling on Your Server
Windows: Enabling OCSP Stapling on Your Server
The DigiCert Difference
- Who Uses DigiCert?
- DigiCert Compatibility
- Customer Testimonials
- SSL Certificates
Related Links
- SSL Certificates
- CSR Creation
- CSR Certificate Installation
- SSL Import/Export to .PFX
- Renewals Explained
- Validation Doc Requirements
- PKI Tutorial
SSL Certificates
- EV Certificates
- What Is SSL?
- Exchange CSR
- Multi-Domain
- SSL Certificate Test
- Apache SSL
- OpenSSL CSR Generator
