{{tag>ssl nginx apache webserver}}

====== Enable OCSP stapling ======

===== nginx =====

<code nginx>
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/ca_stapling.pem;
</code>

//ca_stapling.pem// should contain (from top to bottom) **intermediate cert> root cert**. Otherwise you might get an error like:

<code>
2021/10/26 15:46:04 [error] 22172#22172: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:self signed certificate in certificate chain) while requesting certificate status, responder: ocsp.starfieldtech.com, peer: 192.xx.xx.xx:80, certificate: "/etc/nginx/certs/yourfullcert.crt"
</code>

This shouldn't however be an issue with Letsencrypt certificates as in there you shouldn't need the ''ssl_trusted_certificate'' directive.

You can test on [[https://www.ssllabs.com/]] or like this:

  echo QUIT | openssl s_client -servername yourdomain.com:443 -connect youripordomain:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

It should return the response data.

====== Tested on ======
  * Debian 10
  * nginx/1.21.3

====== See also ======
  * [[wiki:openssl_commands|Openssl commands]]
====== References ======
  * http://nginx.org/patches/attic/ocsp-stapling/README.txt
  * https://www.mybluelinux.com/ocsp-stapling-on-nginx-and-apache-webserver/
  * https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx