ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate?

Maxim Dounin mdounin at
Wed Sep 29 13:23:46 UTC 2021


On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote:

> has a note about not needing 'ssl_trusted_certificate' if
> ssl_certificate has intermediate certificates. I do not see a similar
> note for ssl_stapling_verify
> (
> though. Is this also the same?

No.  To verify OCSP response OpenSSL needs a full chain up to a 
trusted root certificate.

Maxim Dounin

More information about the nginx mailing list