SSL OCSP Stapling With Nginx

OCSP stapling can significantly reduce the overhead and latency of running SSL. We enable OCSP stapling on all of our nginx instances at

OCSP stapling, formally known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses, instead of the issuing Certificate Authority (CA). — Wikipedia

It is actually quite trivial to setup in nginx with a few directives.

http {
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
resolver valid=300s;
resolver_timeout 10s;

You must specify a DNS resolver, since nginx makes external http requests. We use Google Public DNS, but OpenDNS, or your hosting providers DNS should all work just fine. We also set a 5 minute time to live cache period and a 10 second resolver timeout.

You'll need to also provide the SSL trusted certificate. We have a wildcard SSL certificate from GoDaddy, so the content of stapling.trusted.crt is simply:

Finally, you may verify that OSCP stapling is enabled with SSL Labs. Here is our report for