Configuring OCSP Stapling for Let's Encrypt in Nginx?

HeelpBook@heelpbook

116 Posts

#1 · February 14, 2021, 11:42 pm

How to configure OCSP stapling in Nginx with Let's Encrypt to check the revocation status of the certificate?

HeelpBook@heelpbook

116 PostsTopic Author

#2 · February 14, 2021, 11:58 pm

Quote from HeelpBook on February 14, 2021, 11:58 pm
Enabling OCSP stapling in Nginx with Let's Encrypt certificates is quite an easy task.
First we need to open the configuration file of our web application in Nginx (sites-enabled/sites-available, usually under /etc/nginx). Once opened, we can add the following statements, under the server block in our configuration file.
NOTE: for any digital certificate got from Let's Encrypt service, we will get several .pem files (four, usually); between them there will be one called chain.pem that we will need to use to enable OCSP stapling configuration for our website domain protected by Let's Encrypt certificate.
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
After we have modified the website configuration file we will just need to reload/restart the Nginx service/daemon: choose how to do that, if using service nginx reload or systemctl reload nginx.service, service nginx restart, etc.
Once done, we can check the OCSP configuration by using the https://www.ssllabs.com/ssltest/ portal to check our public domain (with https, obviously). If it has been configured correctly we will get an output similar to the following:
To clarify, the OCSP protocol is a real-time check of a website certificate’s revocation status. It’s an alternative to using CRLs (Certificate Revocation Lists).
To put it simply: OCSP responder = OCSP server, so we can use the terms OCSP servers and OCSP responders interchangeably because of their functions. An OCSP server belongs to the CA who issued the digital certificate. It uses the certificate’s serial number, which the client provides in its OCSP request, to look up its revocation status and “respond” with the status.
With OCSP stapling, the web server frequently communicates with the OCSP responder to stay up to date with the most current certificate revocation status information. It keeps a timestamped record (cache) of the OCSP server’s responses on hand that it can pull from in the event that the responder becomes unavailable. This reduces the load on the client and proves a better user experience.

Enabling OCSP stapling in Nginx with Let's Encrypt certificates is quite an easy task.

First we need to open the configuration file of our web application in Nginx (sites-enabled/sites-available, usually under /etc/nginx). Once opened, we can add the following statements, under the server block in our configuration file.

NOTE: for any digital certificate got from Let's Encrypt service, we will get several .pem files (four, usually); between them there will be one called chain.pem that we will need to use to enable OCSP stapling configuration for our website domain protected by Let's Encrypt certificate.

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

After we have modified the website configuration file we will just need to reload/restart the Nginx service/daemon: choose how to do that, if using service nginx reload or systemctl reload nginx.service, service nginx restart, etc.

Once done, we can check the OCSP configuration by using the https://www.ssllabs.com/ssltest/ portal to check our public domain (with https, obviously). If it has been configured correctly we will get an output similar to the following:

To clarify, the OCSP protocol is a real-time check of a website certificate’s revocation status. It’s an alternative to using CRLs (Certificate Revocation Lists).

To put it simply: OCSP responder = OCSP server, so we can use the terms OCSP servers and OCSP responders interchangeably because of their functions. An OCSP server belongs to the CA who issued the digital certificate. It uses the certificate’s serial number, which the client provides in its OCSP request, to look up its revocation status and “respond” with the status.

With OCSP stapling, the web server frequently communicates with the OCSP responder to stay up to date with the most current certificate revocation status information. It keeps a timestamped record (cache) of the OCSP server’s responses on hand that it can pull from in the event that the responder becomes unavailable. This reduces the load on the client and proves a better user experience.