Bobcares

For every $500 you spend, we will provide you with a $500 credit on your account*

BLACK FRIDAY SPECIAL

*The maximum is $4000 in credits, Offer valid till December 6th, 2024, New Customers Only, Credit will be applied after purchase and expires after six (6) months

For every $500 you spend, we will provide you with a $500 credit on your account*

BLACK FRIDAY SPECIAL

*The maximum is $4000 in credits, Offer valid till December 6th, 2024, New Customers Only, Credit will be applied after purchase and expires after six (6) months

Enable OCSP stapling on Nginx Server – Do it with ease

by | Dec 21, 2020

Are you looking for steps to enable OCSP stapling on Nginx? Take a look at this blog.

Here at Bobcares, we have seen several such Nginx related queries as part of our Server Management Services for web hosts and online service providers.

Today, we’ll take a look at how to configure OCSP stapling on Nginx

 

How OCSP Stapling Works

  • First, the webserver hosting the SSL certificate sends a query to the issuing CA’s server.
  • Next, the issuing CA’s server responds with the OCSP status and a timestamp.
  • From this point, whenever a client connects the server staples the OCSP response to the certificate when it’s presented during the handshake.
  • The client verifies the signature on the timestamp to ensure it came from the issuing CA.

If there is an issue, the client’s browser issues an error message.

 

Benefits of OCSP Stapling

One of the biggest benefits of OCSP is performance speed. Also, the handshake is a process that can add a lot of latency to connections.

OCSP stapling can help speed up the authentication process by reducing the number of queries the client has to make when checking validity. As a result, it would make pages load quicker.

 

Enable OCSP stapling on Nginx

Now let’s see how our Support Engineers enable OCSP stapling on Nginx.

The Nginx version that we are using here is 1.6.2.

 

1. Check the version of Nginx

Generally, Nginx supports OCSP stapling in 1.3.7+.

So to see which version of Nginx we are running, we run the following command:

nginx -v

 

2. Check if OCSP stapling is enabled

a. In order to see if OCSP stapling is enabled or not, we run the following OpenSSL command:

openssl s_client -connect [yoursite.com]:443 -status

If OCSP stapling is set, in the response, in the OCSP Response Data section. Then it should say something as below:

OCSP Response Status: successful (0x0)

If OCSP stapling is not enabled, we won’t see any OCSP Response Data. So now we need to see if the Intermediate Certificate is properly installed or not.

b. Check that the Intermediate Certificate is properly installed

Before we can enable OCSP stapling on the Nginx server, we must properly install the Intermediate Certificate. Also, we check whether the connection to OCSP servers is working fine.

c. Furthermore, if the server is not sending the necessary intermediate certificate, we will need to configure it in the “ssl_certificate” line of the SSL configuration.

 

3. Configure your Nginx server to use OCSP Stapling

We follow the below instruction to enable OCSP stapling on the Nginx server after verifying that it supports OSCP stapling and can connect to the OCSP server.

a. First, we edit the website’s SSL configuration file.

Add the following directives INSIDE the “server { }” block:

ssl_stapling on;
ssl_stapling_verify on;
For example:

server
{
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_certificate /etc/ssl/bundle.crt;
ssl_certificate_key /etc/ssl/your_domain_name.key;

ssl_stapling on;
ssl_stapling_verify on;
}

b. (Optional) Add a DNS resolver for stapling

Now we add a DNS resolver for stapling so that the resolver defaults to Google’s DNS.

resolver 8.8.4.4 8.8.8.8;

In case, if we don’t add this line then the resolver defaults to the server’s DNS default.

c. Also, we check the configuration for errors with Ngnix. For that, we run the below command.

nginx -t

d. Finally, we reload the Nginx. For that, we run the below command.

systemctl restart nginx

 

4. Verify that OCSP stapling is now enabled

To see if OCSP stapling is enabled, we run the below OpenSSL command.

openssl s_client -connect [yoursite.com]:443 -status

If OCSP stapling is enabled, in the response, in the OCSP Response Data section, it should say the following:

OCSP Response Status: successful (0x0)

[Need any further assistance with Nginx queries? – We are here to help you.]

 

Conclusion

Today, we saw how our Support Engineers configure OCSP stapling on the Nginx server.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.