ssl_stapling_verify: do we need 'ssl_trusted_certificate' if the intermediate certs are present in ssl_certificate?
Maxim Dounin
mdounin at mdounin.ru
Wed Sep 29 13:23:46 UTC 2021
Hello!
On Wed, Sep 29, 2021 at 12:47:58PM +0800, Jeffrey 'jf' Lim wrote:
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
> has a note about not needing 'ssl_trusted_certificate' if
> ssl_certificate has intermediate certificates. I do not see a similar
> note for ssl_stapling_verify
> (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify)
> though. Is this also the same?
No. To verify OCSP response OpenSSL needs a full chain up to a
trusted root certificate.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list