How to Enable OCSP Stapling
OCSP Stapling — the server fetches the OCSP response from the CA ahead of time and "staples" it to the TLS handshake. Without stapling, every client queries OCSP themselves → +100-300ms + URL leak to CA. nginx setup: 3 directives + a resolver. Pro and secure-by-default.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Get chain.pem from the CA (Let's Encrypt: /etc/letsencrypt/live/example.com/)
- In nginx server block add:
ssl_stapling on; ssl_stapling_verify on; - Set trusted certificate:
ssl_trusted_certificate /path/to/chain.pem; - Add resolver:
resolver 1.1.1.1 8.8.8.8 valid=60s; nginx -t && systemctl reload nginx- Verify:
openssl s_client -connect example.com:443 -status < /dev/null 2>&1 | grep -A2 "OCSP Response" - Enterno SSL shows OCSP Stapling = "Enabled"
Working Examples
| Scenario | Config |
|---|---|
| nginx minimal config | server {
listen 443 ssl;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
resolver 1.1.1.1 valid=60s;
} |
| Apache | SSLUseStapling On\nSSLStaplingCache "shmcb:logs/ssl_stapling(32768)" |
| Verify success | openssl s_client -connect example.com:443 -status | grep "OCSP Response Status" |
| Must-Staple (enforce) | certbot certonly --must-staple -d example.com # cert gets must-staple extension |
Common Pitfalls
- Forgetting resolver — nginx can't resolve the OCSP host → stapling breaks
- chain.pem contains only server cert (no intermediate) — validation fails
- Too aggressive resolver timeout — stapling disables itself periodically
- Must-Staple cert + OCSP down — client can't connect (harsh but secure)
- On first request nginx does a fresh OCSP fetch — a few early clients see latency
Why teams trust us
How it works
Enter domain
TLS chain verified
Expiry date & vulnerabilities
What Does the SSL Check Cover?
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Certificate Details
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Chain of Trust
Full chain verification: from leaf certificate through intermediates to root CA.
TLS Analysis
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Expiry Alerts
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
DV vs OV vs EV Certificates
- Confirms domain ownership only
- Issued in minutes automatically
- Free via Let's Encrypt
- Suitable for most websites
- Most common certificate type
- Organization (OV) or Extended Validation (EV)
- Issued in 1-5 business days
- Costs $50 to $500/year
- For finance, e-commerce, government sites
- Increases user trust
Who uses this
DevOps
SSL certificate monitoring
Security
TLS config audit
SEO
HTTPS as ranking factor
E-commerce
customer trust
Common Mistakes
www and subdomains.Best Practices
Strict-Transport-Security header forces browsers to always use HTTPS.Get more with a free account
SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeLearn more
How-to
Frequently Asked Questions
Is OCSP Stapling required?
Not technically, but Qualys SSL Labs docks grade to A-. Mozilla recommends. Browsers with Must-Staple cert require it.
How often does nginx refetch OCSP?
nginx caches the response for several hours (not directly tunable, depends on OCSP response cache control).
Does Let's Encrypt support OCSP?
Yes, fully. Their responder ocsp.int-x3.letsencrypt.org runs 24/7.
How do I verify stapling works?
<a href="/en/ssl">Enterno SSL</a> → TLS section → "OCSP Stapling: Active" + <code>openssl s_client -status</code>.