OCSP stapling with NGINX
Online Certificate Status Protocol (OCSP) is one of the main protocols used for checking for revoked certificates. This is important in order to ensure that if a server or certificate was compromised, the certificates can be replaced and the old ones revoked to prevent fraudulent use.
These checks can be time consuming, as the browser has to validate the certificate the first time it's used. OCSP stapling is an alternative to OCSP, and alleviates some of the latency issues associated with OCSP. It does this by stapling a cached result directly to the main request. As this result is still signed by the CA, it means that the results are just as secure, yet with no additional latency.
How to do it...
In order to use OCSP stapling, we need to add two additional lines to our server directive:
ssl_stapling on; ssl_stapling_verify on;
This means that the server is now responsible for the initial OCSP lookup and will then send every subsequent request with the cached result...
