How to check nginx OCSP verification

A. Schulze sca at
Tue Mar 1 20:01:15 UTC 2016


> I want to have details about the status nginx' validation of the initial
> OCSP query it did to the OCSP responder of the CA, especially when it goes
> wrong.

we do not let nginx fetch the ocsp data itself but use ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.

     OCSP_RESPONSE='/path/to/ocsp_response_file' # ssl_stapling_file  
in nginx.conf

     # all intermediate and root certificates exept the certificate itself
     cat intermediate.pem root.pem > $CA_CHAIN

     DIRECT_ISSUER='root.pem' # or intermediate.pem, exact one certificate
     CERT='cert.pem'          # for this certificate we need the OCSP  

     OCSP_URI=`openssl x509 -noout -text -in ${CERT} | grep 'OCSP -  
URI:' | cut -d: -f2,3`

     openssl ocsp -no_nonce                \
             -respout ${OCSP_RESPONSE}.tmp \
             -CAfile ${CA_CHAIN}           \
             -issuer ${DIRECT_ISSUER}      \
             -cert ${CERT}                 \
             -url ${OCSP_URI}

     if [ $? -eq 0 ]; then
       # handle error

     # success
     killall -HUP nginx

EXTRA_ARGS handle some special tweaks
  - Startcom:
    EXTRA_ARGS='-header HOST'

  - Let's Entrypt:
    EXTRA_ARGS='-header HOST -verify_other  

you may want to adjust to your needs.


More information about the nginx mailing list