Enable SSL OCSP Stapling

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
905
Location
🇳🇱
What certificate can i use to enable OCSP stapling? As far as i know there are three certificate files for every user.

- domain.tld.cert
- domain.tld.cert.combined
- domain.tld.key

These three don't work to enable OCSP stapling. Has anybody enabled this with nginx and DA? Do i need to generate a new custom certificate with the right format?
 
Thanks for that link :) I only added the two lines ssl_stapling and ssl_stapling_verify and that worked. I didn't included the resolver so that my system dns is used. If i do the test on SSLLabs i'm getting another green box now :)

I also tested it with this command:

Code:
openssl s_client -connect domain.nl:443 -servername domain.nl -status < /dev/null

And i am getting a nice response back;

Code:
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
 
I also tried this a while ago.

This is what I have in the Custom HTTPD Config
Code:
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;
	ssl_trusted_certificate /etc/nginx/ssl.crt/stapling.combined;

and the response

Code:
CONNECTED(00000003)
OCSP response: no response sent
 
Did you try it with the above method? So only add the two lines.
Have you also installed your root/intermediate certificates?

Yes, I tried that. For some reason it's not working for me.
root/intermediate certificates are installed correct.
 
Back
Top