NGINX - Enable OCSP Stapling

Feb 19, 2024

NGINX - Enable OCSP Stapling

Prior Reading:

Enable OCSP Stapling

  1. Make sure NGINX 1.3.7 or above is installed.

    nginx -v
  2. Edit the server block* configuration file for your site or nginx.conf if server blocks are not used using the editor of your choice (such as nano or vi):

    nano /etc/nginx/sites-enabled/
    nano /etc/nginx/nginx.conf

    *If you need to enable OCSP stapling on just one server block, it must be the "default_server". If you need to enable OCSP stapling on more than one server block, it must be enabled on the "default_server" before it can be enabled on any other server block.  
  3. Turn on OCSP stapling:

    ssl_stapling on;
  4. Enable the server to check OCSP:

    ssl_stapling_verify on;
  5. Point to a trusted certificate chain file. This must contain the intermediate & root certificates (in that order from top to bottom).

    ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem

    Use the example configuration below as a reference:  


  6. Test your configuration before reloading:
    sudo service nginx configtest

  7. Restart NGINX service if OK:
    sudo service nginx reload
  8. Verify OCSP Stapling is working by checking your domain with GlobalSign's SSL Checker.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support