Instructions for Enabling OCSP Stapling on Your Nginx Server

For more information about the Online Certificate Status Protocol (OCSP) and the benefits of OCSP stapling, see Enable OCSP Stapling on Your Server.

Nginx: How to Enable OCSP Stapling

These instructions were created using Nginx 1.6.2. Depending on which version of Nginx you are using, you may need to modify these instructions accordingly.

  1. Check your version of Nginx

    Nginx supports OCSP stapling in 1.3.7+.

    To see which version of Nginx you are running, use following command:

    nginx -v

  2. Check if OCSP stapling is enabled.

    1. To see if OCSP stapling is enabled, do one of the following:

      • Check with the ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool

        Go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).

        If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.

        If OCSP stapling is not enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Not Enabled, and you now need to see if the Intermediate Certificate is properly installed.

      • Check using OpenSSL

        Enter the following command:

        openssl.exe s_client -connect [yoursite.com]:443 -status

        If OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:

        OCSP Response Status: successful (0x0)

        If OCSP stapling is not enabled, you will not see any OCSP Response Data, and you now need to see if the Intermediate Certificate is properly installed.

    2. Check that the Intermediate Certificate is properly installed.

      Before you can enable OCSP stapling on your Nginx server, the Intermediate Certificate must be properly installed.

      To see if the intermediate certificate is properly installed, go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).

      Under Certificate Name matches¡­, you should see your Server Certificate and the Intermediate Certificate.

    3. If the server is not sending the required intermediate certificate, you will need to configure it in the ¡°²õ²õ±ô³å³¦±ð°ù³Ù¾±´Ú¾±³¦²¹³Ù±ð¡± line of your SSL configuration. See Nginx SSL Certificate Installation.

  3. Verify the Nginx server¡¯s connection to the OCSP server.

    Enter the following command:

    curl ocsp.digicert.com/ping.html

    You should receive the ¡°You have successfully reached the ¶ºÒõ¹Ý OCSP Service¡± message.

    If you don¡¯t have curl installed, try using the wget command:

    wget ocsp.digicert.com/ping.html

    If it downloads the page, you are connected. To view the contents of the page, enter the following command:

    cat ping.html

    You should receive the ¡°You have successfully reached the ¶ºÒõ¹Ý OCSP Service¡± message.

  4. Configure your Nginx server to use OCSP Stapling.

    Use the following instruction to enable OCSP stapling on your Nginx server after verifying that it supports OSCP stapling and can connect to the OCSP server.

    1. Edit your site¡¯s SSL configuration file.

      Add the following directives INSIDE the ¡°server { }¡± block:

      ssl_stapling on;
      ssl_stapling_verify on;

      For example:

      server
      {
      listen 443 ssl;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

      ssl_certificate /etc/ssl/bundle.crt;
      ssl_certificate_key /etc/ssl/your_domain_name.key;

      ssl_stapling on;
      ssl_stapling_verify on;
      }

    2. (Optional) Add a DNS resolver for stapling.

      Add a DNS resolver for stapling so that the resolver defaults to Google¡¯s DNS.

      resolver 8.8.4.4 8.8.8.8;

      If this line isn¡¯t added, the resolver defaults to the server¡¯s DNS default.

    3. Check the configuration for errors with Ngnix.

      nginx -t

    4. Reload the Nginx.

      systemctl restart nginx

  5. Verify that OCSP stapling is now enabled.

    To see if OCSP stapling is enabled, do one of the following:

    • Check with the ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool

      Go to /help and in the Server Address box, type in your server address (i.e. www.digicert.com).

      If OCSP stapling is enabled, under SSL Certificate has not been revoked, to the right of OCSP Staple, it says Good.

    • Check using OpenSSL

      Enter the following command:

      openssl.exe s_client -connect [yoursite.com]:443 -status

      If OCSP stapling is enabled, in your response, in the OCSP Response Data section, it should say the following:

      OCSP Response Status: successful (0x0)

Additional Enabling OCSP Stapling Instructions