Ask a Question

Advanced Search

Alert ID : INFO3463

Last Modified : 10/08/2018

How To enable OCSP stapling for RapidSSL SSL certificate - Nginx

Description

Online Certificate Status Protocol (OCSP) stapling is an enhancement  model to the standard OCSP protocol that the web server gets the OCSP response from the CA and sends the OCSP response to the browser in the SSL handshake. This can be more efficient because the OCSP response is valid for hours or days, and the web site can cache it and send it to all users during that time period. This improve the speed and reliability of OCSP which eliminates the need for the client browser to initiate a connection to the CA.
 
OCSP stapling requires NGINX 1.3.7 or above.
 
Configuration
 
  1. Add OCSP stapling directives

    There are two directives that need to be added in the Nginx configuration file.
     
    ssl_stapling on;
    ssl_stapling_verify on;

  2. Add a DNS resolver for stapling (Optional)

    For a resolution of the OCSP responder hostname, the resolver directive should also be specified.
     
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    This DNS resolver defaults to Google's DNS resolver, if above lines isn't added, the resolver defaults to the server's DNS default.
     
  3. Add ssl_trust certificate directive

    For the OCSP stapling verification to work, the issuer certificate of the server certificate include the root certificate and all intermediate CA
    certificates
    should be configured as trusted using the ssl_trusted_certificate directive.

    For example:
     ssl_trusted_certificate /etc/ssl/CA.crt

    The CA.crt file in the above example should include all corresponding root and intermediate CA certificate.

    Here is an example of the Nginx configuration for OCSP stapling.
     
    server {
        listen 443 ssl;
        server_name  serverhostname;
        ssl_certificate /etc/ssl/SSL_Cert.crt;
        ssl_certificate_key /etc/ssl/cert_key.key;
        ssl_trusted_certificate /etc/ssl/CA.crt
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;
    }

    Note: When enabling and/or configuring OCSP Stapling on your servers, keep in mind that the OCSP request from your server to the OCSP URL must be allowed.
    If your server is behind a firewall you need to create a firewall exception to allow your server for outbound connections to OCSP URL.

          To retrieve / verify the OCSP URL for your SSL certificate, please refer to article HOWTO111091

          Save your configuration file and restart Nginx to get the changes take effect

          For more information regarding the OCSP stapling for Nginx, please consult the Nginx documentation web page: 
          http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

 
Verify the OCSP Stapling
 
Use Openssl
 
Use the following OpenSSL command to verify the OCSP stapling to your website:
Note: Please make sure you use the most recent version of openssl  (0.9.8k or later) for testing.
openssl s_client -connect yourdomain.com:443 -tls1 -tlsextdebug -status

In the response, look for the following under OCSP response area:

OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)

That means OCSP stapling is enabled. If you get a response like below, then OCSP stapling is not enabled:

OCSP response: no response sent

Use Online SSL Checker

You can also run the test on  SSL Checker to see if OCSP stapling works.
The "OCSP stapling" field in the result below should show "Enabled" if the OCSP stapling is on. Otherwise it should show "Not Enabled" if OCSP stapling is not on.