0
0
Nginxdevops~10 mins

OCSP stapling in Nginx - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - OCSP stapling
Client connects to server
Server sends certificate
Server attaches OCSP response (staple)
Client verifies certificate + OCSP response
Connection established if valid
OCSP stapling lets the server send certificate status to the client, speeding up verification.
Execution Sample
Nginx
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

server {
  listen 443 ssl;
  ssl_certificate /etc/ssl/certs/server.crt;
  ssl_certificate_key /etc/ssl/private/server.key;
}
This config enables OCSP stapling in nginx with DNS resolvers for OCSP queries.
Process Table
StepActionServer StateClient ActionResult
1Client connects to server on HTTPSWaiting for connectionSends ClientHelloConnection starts
2Server sends certificateSends server.crtReceives certificateClient prepares to verify
3Server attaches OCSP stapleFetches OCSP response from CAReceives OCSP response with certificateClient skips separate OCSP query
4Client verifies certificate and OCSP responseOCSP response validChecks certificate statusVerification successful
5Connection establishedSecure connection openUses connectionData exchanged securely
6OCSP response expiresServer fetches new OCSP responseNext client connection gets fresh stapleStapling continues
💡 OCSP stapling improves speed by avoiding client OCSP queries; server refreshes staple periodically.
Status Tracker
VariableStartAfter Step 3After Step 6
OCSP ResponseNoneFetched and attachedRefreshed and attached
Client VerificationPendingVerified with stapleVerified with fresh staple
Key Moments - 3 Insights
Why does the client not need to query the OCSP server directly?
Because the server sends the OCSP response (staple) during the TLS handshake as shown in step 3 of the execution_table.
What happens if the OCSP response expires?
The server fetches a new OCSP response before the next client connection, as shown in step 6, ensuring fresh status.
Why do we configure DNS resolvers in nginx for OCSP stapling?
Because nginx needs to query the OCSP server's URL, which requires DNS resolution, as configured by the resolver directive in the sample code.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step does the server attach the OCSP response to the certificate?
AStep 3
BStep 2
CStep 4
DStep 5
💡 Hint
Check the 'Action' column for when the server attaches the OCSP staple.
According to variable_tracker, what is the state of 'OCSP Response' after step 6?
ANone
BFetched and attached
CRefreshed and attached
DExpired
💡 Hint
Look at the 'After Step 6' column for 'OCSP Response' in variable_tracker.
If the server did not refresh the OCSP response, what would happen at step 6?
AClient would receive a fresh OCSP response
BClient would query OCSP server directly
CConnection would fail immediately
DServer would send no certificate
💡 Hint
Refer to key_moments about what happens when OCSP response expires.
Concept Snapshot
OCSP stapling lets the server send certificate status during TLS handshake.
Enable with 'ssl_stapling on;' and 'ssl_stapling_verify on;' in nginx.
Configure DNS resolvers for OCSP queries.
Improves speed by avoiding client OCSP lookups.
Server refreshes OCSP response periodically.
Full Transcript
OCSP stapling is a way for the server to send proof that its certificate is still valid during the TLS handshake. This saves the client from asking the certificate authority directly, making connections faster. In nginx, you enable it with 'ssl_stapling on;' and 'ssl_stapling_verify on;'. You also set DNS resolvers so nginx can find the OCSP server. When a client connects, the server sends its certificate plus the OCSP response. The client checks both and if valid, the secure connection proceeds. The server refreshes the OCSP response regularly to keep it fresh. This process improves security and speed for HTTPS connections.