Skip to main content

OCSP stapling on nginx with StartSSL certificate

ww.kr.ua Protection and safety


OCSP protocol allows you to check the status of SSL certificate Online. When opening a site, the browser tries to contact the OCSP server and get information about this certificate. This affects the speed of operation, since the OCSP server can be much further than the server where the site is located.

OCSP stapling allows the web server to attach OCSP responses from the certificate issuer server. That has a positive effect on the speed of work. After all, the browser no longer needs to connect directly to the publisher server.



In general, to enable staging on nginx, you need a publisher root certificate. Current StartSSL root certificate can be downloaded here: startssl.com/root . In this case, you must first log in to your account.

But you can download directly: 

  wget https://startssl.com/certs/ca.crt -O /etc/nginx/ssl/ca-startssl.crt

Next, in the configuration of the site with a certificate from StartSSL (or in the global configuration file of the server, if all sites have a certificate from StartSSL), we write a parameter that includes the stepping:

 
  ssl_stapling on;

Then the parameter indicating the root certificate that we downloaded earlier: 

  ssl_trusted_certificate /etc/nginx/ssl/ca-startssl.crt;

Or we can even specify the path to the root certificate that comes with the openssl package: 

  ssl_trusted_certificate /etc/ssl/certs/StartCom_Certification_Authority.pem;

And, most importantly, the depth of verification of the certificate chain. By default, this parameter is 1.


  ssl_verify_depth 3;

The startssl has a minimum depth of 3. This checks the root certificate, the intermediate certificate of StartCom Class 1 DV Server CA and, directly, the certificate of your site. Without this, the stepping will not work.

Also in many articles it is recommended to specify the resolver parameter to determine the IP of the OCSP servers. But it worked for me without it. Do not forget to restart nginx after file changes. ;)

You can check the operation of the stapling on the websites: https://www.digicert.com/help/ and https://ssllabs.com .



How do you rate the article?
Звёзд: 1Звёзд: 2Звёзд: 3Звёзд: 4Звёзд: 5 (No ratings yet)
Loading...

Add a comment

Your email will not be published.