Ocsp stapling

I have my nginx virtual host set to enable ocsp stapling but it doesn’t
actually do it. Ssllabs testing reports no. OpenSSL cli testing reports

Nginx v1.8.0
Centos 6.7 64bit
OpenSSL 1.0.1e

I only have the ocsp config on one domain for testing. Any thoughts?


I have been using Nginx 1.8.X with ocsp stabling for a couple of weeks
it seems to be fine. Please send your config files, it may help…

Posted at Nginx Forum:


here is the relevant portion of my virtual hosts config:

server {
listen 443 ssl;
server_name ;

client_max_body_size 64m;
client_body_timeout 60;

access_log /var/log/nginx/…;
error_log /var/log/nginx/…;

root /var/www/html/rc/;
index index.html index.php;

ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate /etc/pki/tls/private/…pem;
ssl_certificate_key /etc/pki/tls/private/…pem;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 4h;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/tls/private/dhparams.pem;

add_header Public-Key-Pins-Report-Only
max-age=31536000; includeSubDomains’;

add_header Strict-Transport-Security “max-age=31536000;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/private/root_store/…pem;

Config files seems to be OK. Just make sure “ssl_trusted_certificate”
contais the intermediate & root certificates (in that order from top to

You can test with the following command:

echo QUIT | openssl s_client -connect yourhost.com:443 -status 2>
| grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’

good luck

Posted at Nginx Forum:


it all works now. once i enabled ocsp stapling for ALL of my virtual
domains, they then all began reporting correct results.

  • fabe


It does.

Test produces no results.

Not working on ssllabs (no result).

I’m clueless. I’ve seen mention out on the web about making sure you
define ocsp for the default site or none else will work. I also make use
of sni as I only have one ip address.

I have no truly “default” site configured.

Could be related? I am new to nginx so I’m still learning lots. Thanks