How to enable OCSP Stapling in Nginx?
What is OCSP stapling?
OCSP stapling is a safe and quick way of determining whether or not an SSL certificate is valid. Instead of requesting information from the certificate’s vendor, it allows a web server to provide information on the validity of its own certificates.
Three Steps to enable OCSP Stapling in Nginx:
1. To enable OCSP stapling, just add these three lines under “server” block
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/full/chain/pem;2. Test Nginx configuration
sudo nginx -t
3. Reload Nginx Configuration
If everything is fine, just reload the configuration.
sudo service nginx reload
Test if OCSP Stapling is enabled
You can use globalsign sslabs to see if it is working fine.
11 Comments
Leave a Reply
KUDOS to green check 🙂
Thanks a lot 🙂
Thanks for a simple tutorial. It was very easy to follow and felt a relieve with the green check aside of OSCP
I observed average response time to be reduced by 2ms.
No improvements here but Google has increased page speed rank 🙂
Thanks a lot for a tutorial but like others, I don’t really see any difference in speed. Not worth it!
For me improvement was significant and a score of 100!
Very brief and easy thanks – all green on pagespeed. If this is cached with proxy as well?
Can ocsp be done without nginx and directly to app? I have rails app and not using prxy.
You are going to save a request to CA if you are enabling OCSP – hence you are reducing the number of requests – thus increasing speed. I say it is totally worth it when your mission intersects with “Google’s” in keeping web FAST!
I didn’t notice any improvement in speed. is it really worth to do it for all servers?