« Back to Web

Securing nginx configurations: implementing OCSP stapling

OCSP stapling is a logical follow-up on OCSP . OCSP itself just checks if certificate is still valid by determining if it is on a revocation list.

The original OCSP protocol forces the client to check for the status of a certificate. This results in a lot of traffic for the CA behind the certificate.

OCSP stapling moves the check to the owner of the certificate. On a regular basis the Nginx server will perform the check, receiving a new OCSP response. This response is stapled upon the SSL/TLS process with the user client. Due to this addition, OCSP stapling ensures the client that the owner is keeping their certificate up-to-date and is still valid.

Configuration

All these snippets needs to be added below the virtual host. OCSP stapling is only useful when using SSL and is enabled (ssl on or listen ssl).

Enable OCSP stapling and verification

# Turn on stapling
ssl_stapling on;

# Enable verification  
ssl_stapling_verify on;

Define certificate for OCSP stapling

Next is defining a certificate. This step is optional when the full certificate chain was already provided with the ssl_certificate statement. In case just the certificate is being used (not the parts of your CA), then this statement is needed:

# Define chained certificate (optional if already defined with ssl_certificate).  
ssl_trusted_certificate /etc/nginx/ssl/rootCA_plus_intermediates_chained.crt;

Define nginx resolving

To ensure proper resolving used when querying the verification systems, define what resolvers and their cache time. We use a low timeout, to quickly move to the next resolver if the first one fails.

# Define resolvers, with a cache time of 10 minutes. Also define timeout for resolving, to limit timeout length.  
resolver 1.1.1.1 9.9.9.9 valid=10m;  
resolver_timeout 3s;

Notes

You need at least nginx 1.3.7 for OCSP stapling to work.

Run nginx -t to test your configuration, before reloading.

systemctl reload nginx.service

References

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon