Previously, we have talked about how to install SSL certificate on Nginx Server, how to install Let’s Encrypt free SSL/TLS certificate in your server. We recommend to read both of them, at least check them. Many Users Complain of Not Working OCSP Stapling in Nginx or Facing Chain Error. Here is Working Step by Step Guide on OCSP Stapling Nginx. We recommend to switch to free Let’s Encrypt or use Free Start SSL unless there is any need to use DV SSL/TLS Certificate. Let’s Encrypt is open and Free Software, chance of exploit, bug is far lesser. It is matured now to use for professional blogs.
OCSP Stapling Nginx : Why We Need OCSP Stapling, What it Does, Who Needs it?
OCSP stapling is a simple method for quickly and safely determining whether the SSL certificate is valid. It allows the web server to provide information of the validity of its own certificates to the browser rather than allowing request the information over network to the certificate’s vendor. There is no real performance slowdown to own server for implementing OCSP Stapling. OCSP Stapling is purely a performance enhancement in theory. However, in practice, it does indeed improve security. OCSP Stapling gets around both the performance impact and the privacy issue by letting the original web server periodically query the OCSP Responder itself, and then serve clients both its own certificate as well as the proof from the OCSP Responder that the certificate isn’t revoked. Because this removes the performance hit for the client and the privacy issue, browsers are more likely to implement support for OCSP Stapling rather than just OCSP, thus it indirectly helps in security. So the advantages include faster load times for secure content at least theoretically and higher customer satisfaction for multiple domain request becomes obvious – like for online payment.
OCSP stands for Online Certificate Status Protocol. OCSP stapling is newer, which allows the website to bear the resource cost involved in providing time-stamped OCSP response signed by the CA to the initial TLS handshake. The original OCSP implementation increase the cost for the certificate authorities as responses to every client is given certificate in real time. It is also gives the control of ping time to robust security. OCSP response puts less burden on network and client resources than certificate revocation list (CRL). RFC 6960 defines the Standard of Online Certificate Status Protocol, TLS Certificate Status Request extension is specified in RFC 6066,
RFC 6961 defines a Multiple Certificate Status Request extension. Multiple Certificate Status Request extension allows a server to send multiple OCSP responses in the TLS handshake. The currently used version of the proposal is extended to support additional TLS extensions following the repair of the Heart bleed OpenSSL bug. Most browsers do not implement any kind of public CRL because CRL doesn’t scale – OCSP was proposed to replace it.
---
OCSP Stapling should be used by all unless there is any reason not to use.
OCSP Stapling Nginx : Working Step by Step Guide
Who have followed steps like we described for SSL/TLS certificate installation on how to install SSL certificate on Nginx Server, should not face much difficulty in understanding steps. We assume that the user have separate X.509 version of SSL/TLS certificates like GeoTrust typically sells when purchased from them, which are just like plain text, can be copy pasted, starts with keywords like -----BEGIN CERTIFICATE-----. Within a sane range actually any extension can be used – .pem, .cer, .cert or just filename without any extension. Do not get scared with .pem extension. Basically these certification authorities were fully closed source before Let’s Encrypt appeared. Their employees used to write the few lines guide in the way they wanted. Unless you are getting error on frontend or SSL Labs test, take them as X.509 version of SSL/TLS certificates. Servers are *nix, they will read rightly regardless of filename extension. If your CA provides certificates in DER format you need to convert them to PEM/X.509 version (there are online tools, SSH command etc.).
GeoTrust QuickSSL Premium will normally supply X.509 version of domain’s certificate and intermediate certificate. The root certificate will be available on the certificate provider’s website. As there can be many types of root certificates of a typical certificate provider for various types of certificates, before downloading the text file root certificate, running a test on SSL Labs online tool will show the Issuer name, like GeoTrust Primary Certification Authority G3 for GeoTrust DV SSL certificates as example. GeoTrust has a list of various root certificates, the user need to select the right one. In the same way, certificates from other CA’s should properly match.
At the end, we have three separate certificates :
- Domain / Web Server Certificate
- Intermediate Certificate
- Root Certificate
In Nginx, we have two parameters in our context of this guide on OCSP Stapling Nginx – ssl_certificate and ssl_trusted_certificate. We have to concatenate the above three certificates in proper sequence and combination to create 2 certificates. Errors with Chain Issues is common when either the method properly not understood or medium sized web hosting resold them. For OCSP Stapling Nginx, the concatenated files should have the following combination and order :
ssl_certificate should have :
- Web server / domain certificate
- Intermediate certificate
ssl_trusted_certificate should have :
- Root certificate
- Intermediate certificate
Let us give the end name of the certificates – ssl_certificate.crt and ssl_trusted_certificate.crt. How to concatenate the files? Concatenate in the context of OCSP Stapling Nginx is just copy-pasting one after another as plain text files in the mentioned order above. We have kept a fake example of concatenated file on this gist. Obviously, you can create them by simple copy-paste in plain text editors on OS X or GNU/Linux either desktop or server or run cat command to redirect on desired file in this way :
1 | cat root.pem >> ssl_trusted_certificate.crt |
It is basically kind of copy-paste with one line break after the end of content. So, create ssl_certificate.crt and ssl_trusted_certificate.crt by “mixing” with proper things and sequence. We are taking that, you kept the certificates at /etc/nginx/ssl/whatever-named-dir location. You’ll use the following sequence of the directives :
1 2 3 4 5 6 7 8 9 10 | ... ssl_certificate /etc/nginx/ssl/whatever-named-dir/ssl_certificate.crt; ssl_certificate_key /etc/nginx/ssl/whatever-named-dir/server.key; ssl_dhparam /etc/nginx/ssl/whatever-named-dir/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; ssl_trusted_certificate /etc/nginx/ssl/whatever-named-dir/ssl_trusted_certificate.crt; ... |
ssl_dhparam is optional in the context of OCSP Stapling Nginx but it is needed for Logjam security threat by NSA. Run configtest with nginx -t for deb GNU/Linux followed by restarting Nginx websever to take effect (service nginx restart is classic command for deb GNU/Linux). Test your website’s server on SSL Lab’s online test. You will see that there is no error in Chain Issues and OCSP Stapling is showing as ON. We can also test our server from SSH screen with this format of command, change your-domain-name.com with real domain name :
1 | echo QUIT | openssl s_client -connect your-domain-name.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' |
You’ll see the this kind of response when successful, notice the OCSP Response Status: successful (0x0) line :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: E1FF68EB85774E3804E4E599A5208DA7174FEE61 Produced At: Jul 18 07:20:53 2016 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: B378EAC54E21B0EAAAA70B5A4C5ACF9AC3195DBD Issuer Key Hash: 49ECA7C8A9F7C5BB2CAA24E7F443B3B13CE854F8 Serial Number: 1804F61AC8E064490B9B5420B7C34B6A Cert Status: good This Update: Jul 18 07:20:53 2016 GMT Next Update: Jul 25 07:20:53 2016 GMT |
