0
0
Nginxdevops~5 mins

OCSP stapling in Nginx - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Websites use certificates to prove they are secure. OCSP stapling helps speed up checking if a certificate is still valid by letting the website share this info directly, so visitors don't have to ask the certificate authority every time.
When you want your website to load faster by reducing certificate checks.
When you want to reduce the load on the certificate authority servers.
When you want to improve privacy by not letting visitors directly contact the certificate authority.
When you have an HTTPS website using SSL/TLS certificates.
When you want to avoid browser warnings about certificate revocation delays.
Config File - nginx.conf
nginx.conf
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    location / {
        root /var/www/html;
        index index.html;
    }
}

ssl_certificate and ssl_certificate_key specify your site's certificate and private key.

ssl_stapling on; enables OCSP stapling to send certificate status to clients.

ssl_stapling_verify on; makes nginx check the OCSP response from the certificate authority.

resolver sets DNS servers nginx uses to fetch OCSP responses.

Commands
Check the nginx configuration file for syntax errors before applying changes.
Terminal
sudo nginx -t
Expected OutputExpected
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Reload nginx to apply the new configuration without stopping the server.
Terminal
sudo systemctl reload nginx
Expected OutputExpected
No output (command runs silently)
Check if OCSP stapling is working by connecting to the server and requesting the OCSP status.
Terminal
openssl s_client -connect example.com:443 -status
Expected OutputExpected
CONNECTED(00000003) ... OCSP response: successful ... --- SSL handshake has read 3456 bytes and written 456 bytes Verification: OK ---
Key Concept

If you remember nothing else from OCSP stapling, remember: it lets your server send certificate validity info directly to visitors, speeding up secure connections.

Common Mistakes
Not enabling ssl_stapling_verify after turning on ssl_stapling
Without ssl_stapling_verify, nginx won't check if the OCSP response is valid, risking sending bad info to clients.
Always set ssl_stapling_verify on to ensure nginx verifies the OCSP response.
Not setting a DNS resolver in nginx configuration
Nginx needs DNS servers to fetch OCSP responses; without resolver, stapling won't work.
Add resolver 8.8.8.8 8.8.4.4; or your preferred DNS servers in the nginx config.
Forgetting to reload nginx after changing the config
Changes won't take effect until nginx reloads, so stapling won't be enabled yet.
Run sudo systemctl reload nginx after config changes.
Summary
Enable ssl_stapling and ssl_stapling_verify in nginx to activate OCSP stapling.
Set DNS resolver in nginx config so it can fetch OCSP responses.
Test configuration syntax with nginx -t and reload nginx to apply changes.
Verify OCSP stapling works using openssl s_client with the -status flag.