How to enable OCSP stapling in Nginx

Enabling OCSP stapling improves TLS connection reliability and performance by having the server provide revocation status during the handshake. This avoids extra client-side calls to the certificate authority responder, reducing latency and preventing a common privacy leak where clients reveal visited hostnames via direct OCSP checks.

With stapling enabled, Nginx fetches an OCSP response for the configured certificate, caches it, and includes it in the TLS handshake as a “Certificate Status” response. The feature is controlled by ssl_stapling and ssl_stapling_verify, and it depends on a trusted issuer chain (ssl_trusted_certificate) plus working DNS resolution (resolver) so Nginx can reach the CA’s responder.

Stapling only applies where HTTPS is terminated; enabling it on an upstream web server has no effect when TLS terminates at a load balancer, reverse proxy, or CDN. A missing intermediate chain, an incorrect trust file, or blocked outbound DNS/HTTP traffic can prevent stapling from working; certificates using “must-staple” make failures especially visible because some clients can hard-fail if a stapled response is unavailable.

1. Open the file containing the HTTPS server block for the virtual host.

   $ sudoedit /etc/nginx/sites-available/example.com.conf

   Common virtual host locations include /etc/nginx/sites-available and /etc/nginx/conf.d.

2. Confirm the ssl_certificate directive references a full chain file such as fullchain.pem.

   server {
       listen 443 ssl;
       server_name example.com;
   
       ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
   
       ##### snipped #####
   }

   A “full chain” file includes the leaf certificate plus intermediate certificates needed by clients.

3. Add the OCSP stapling directives inside the HTTPS server block.

   server {
       ##### snipped #####
   
       ssl_stapling on;
       ssl_stapling_verify on;
       ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
   
       ##### snipped #####
   }

   ssl_trusted_certificate must contain the issuer chain used to verify the OCSP response; for some deployments this is a dedicated chain bundle rather than the system CA bundle.

4. Add a resolver directive that can resolve the certificate authority OCSP responder hostname.

   server {
       ##### snipped #####
   
       resolver 1.1.1.1 1.0.0.1 valid=300s;
       resolver_timeout 5s;
   
       ##### snipped #####
   }

   Blocking outbound DNS or HTTP(S) from the Nginx host can prevent stapling and may cause handshake failures with “must-staple” certificates.

5. Test the Nginx configuration for syntax errors.

   $ sudo nginx -t
   nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
   nginx: configuration file /etc/nginx/nginx.conf test is successful

6. Reload Nginx to apply the updated configuration without dropping existing connections.

   $ sudo systemctl reload nginx

7. Confirm a stapled OCSP response is being served in the TLS handshake.

   $ openssl s_client -connect example.com:443 -servername example.com -status </dev/null
   CONNECTED(00000003)
   ##### snipped #####
   OCSP response:
   ======================================
   OCSP Response Status: successful (0x0)
   Response Type: Basic OCSP Response
   Version: 1 (0x0)
   Responder Id: ##### snipped #####
   Produced At: Dec 14 12:00:00 2025 GMT
   This Update: Dec 14 12:00:00 2025 GMT
   Next Update: Dec 21 12:00:00 2025 GMT
   ##### snipped #####

8. Check the Nginx error log for stapling failures when the OCSP response: section is missing.

   $ sudo tail -n 50 /var/log/nginx/error.log
   2025/12/14 12:03:11 [warn] 12345#12345: "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/letsencrypt/live/example.com/fullchain.pem"
   2025/12/14 12:03:11 [warn] 12345#12345: no resolver defined to resolve ocsp.example-ca.invalid while requesting certificate status, responder: ocsp.example-ca.invalid
   ##### snipped #####

   Look for messages containing ssl_stapling, stapling, OCSP, or resolver to pinpoint missing chain files, DNS issues, or blocked outbound access.