NGINX - Enable OCSP Stapling

Feb 19, 2024

Prior Reading:

Make sure NGINX 1.3.7 or above is installed.

nginx -v
Edit the server block* configuration file for your site or nginx.conf if server blocks are not used using the editor of your choice (such as nano or vi):

nano /etc/nginx/sites-enabled/example.com-ssl.conf
or
nano /etc/nginx/nginx.conf

*If you need to enable OCSP stapling on just one server block, it must be the "default_server". If you need to enable OCSP stapling on more than one server block, it must be enabled on the "default_server" before it can be enabled on any other server block.
Turn on OCSP stapling:

ssl_stapling on;
Enable the server to check OCSP:

ssl_stapling_verify on;
Point to a trusted certificate chain file. This must contain the intermediate & root certificates (in that order from top to bottom).

ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem

Use the example configuration below as a reference:
Test your configuration before reloading:
sudo service nginx configtest
Restart NGINX service if OK:
sudo service nginx reload
Verify OCSP Stapling is working by checking your domain with GlobalSign's SSL Checker.

View recent system alerts.

Scan your endpoints to locate all of your Certificates.

Check your certificate installation for SSL issues and vulnerabilities.

If you are an Atlas portal user, please submit request to support-atlas@globalsign.com.