NGINX - Enable OCSP Stapling

NGINX - Enable OCSP Stapling

Prior Reading:


Enable OCSP Stapling

  1. Make sure NGINX 1.3.7 or above is installed.

    nginx -v
  2. Edit the server block* configuration file for your site or nginx.conf if server blocks are not used using the editor of your choice (such as nano or vi):

    nano /etc/nginx/sites-enabled/example.com-ssl.conf
    or
    nano /etc/nginx/nginx.conf

    *If you need to enable OCSP stapling on just one server block, it must be the "default_server". If you need to enable OCSP stapling on more than one server block, it must be enabled on the "default_server" before it can be enabled on any other server block.  
     
  3. Turn on OCSP stapling:

    ssl_stapling on;
  4. Enable the server to check OCSP:

    ssl_stapling_verify on;
  5. Point to a trusted certificate chain file. This must contain the intermediate & root certificates (in that order from top to bottom).

    ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem

    Use the example configuration below as a reference:  

    ocsp.PNG

  6. Test your configuration before reloading:
    sudo service nginx configtest

  7. Restart NGINX service if OK:
    sudo service nginx reload
  8. Verify OCSP Stapling is working by checking your domain with GlobalSign's SSL Checker.

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.