NGINX - Enable OCSP Stapling
Feb 19, 2024
NGINX - Enable OCSP Stapling
Prior Reading:
Enable OCSP Stapling
- Make sure NGINX 1.3.7 or above is installed.
nginx -v - Edit the server block* configuration file for your site or nginx.conf if server blocks are not used using the editor of your choice (such as nano or vi):
nano /etc/nginx/sites-enabled/example.com-ssl.conf
or
nano /etc/nginx/nginx.conf
*If you need to enable OCSP stapling on just one server block, it must be the "default_server". If you need to enable OCSP stapling on more than one server block, it must be enabled on the "default_server" before it can be enabled on any other server block.
- Turn on OCSP stapling:
ssl_stapling on; - Enable the server to check OCSP:
ssl_stapling_verify on; - Point to a trusted certificate chain file. This must contain the intermediate & root certificates (in that order from top to bottom).
ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem
Use the example configuration below as a reference:
-
Test your configuration before reloading:
sudo service nginx configtest - Restart NGINX service if OK:
sudo service nginx reload - Verify OCSP Stapling is working by checking your domain with GlobalSign's SSL Checker.
Related Articles
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.
Contact Support
If you are an Atlas portal user, please submit request to support-atlas@globalsign.com.