NGINX – ENABLE OCSP STAPLING 

 

Prior Reading:

Enable OCSP Stapling

  • Make sure NGINX 1.3.7 or above is installed.

nginx -v
 

  • Edit the server block* configuration file for your site or nginx.conf if server blocks are not used using the editor of your choice (such as nano or vi):

nano /etc/nginx/sites-enabled/example.com-ssl.conf
or
nano /etc/nginx/nginx.conf

*If you need to enable OCSP stapling on just one server block, it must be the "default_server". If you need to enable OCSP stapling on more than one server block, it must be enabled on the "default_server" before it can be enabled on any other server block.  
 

  • Turn on OCSP stapling:

ssl_stapling on;

 

  • Enable the server to check OCSP:

ssl_stapling_verify on;

 

  • Point to a trusted certificate chain file. This must contain the intermediate & root certificates (in that order from top to bottom).

ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem

 

  • Use the example configuration below as a reference:  

  server {

   # Listen on port 443
   listen   443 default_server;
   server_name example.com;

   root /path/to/site-content/;
   index index.html index.htm;

   # Turn on SSL; Specify certificate & keys
   ssl on;
   ssl_certificate /etc/nginx/ssl/example.com/my_certificate.crt;
   ssl_certificate_key /etc/nginx/ssl/example.com/example.key;

   # Enable OCSP Stapling, point to certificate chain
   ssl_stapling on;
   ssl_stapling_verify on;
   ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem;

  }

  • Test your configuration before reloading:
    sudo service nginx configtest
     
  • Restart NGINX service if OK:
    sudo service nginx reload
  • Verify OCSP Stapling is working by checking your domain withGlobalSign's SSL Checker.

Last Updated: July 25, 2017