ssl_ocsp_responder
The ssl_ocsp_responder directive specifies the OCSP responder URL for SSL certificate revocation checking.
Description
The ssl_ocsp_responder directive in NGINX is utilized to define the URL of the Online Certificate Status Protocol (OCSP) responder that should be used to check the revocation status of SSL/TLS certificates presented by the server during the SSL handshake process. When a client connects to the server and establishes an SSL/TLS session, this directive directs NGINX to verify whether the certificate presented by the client is still valid and not revoked by the certificate authority. This is important to maintain the security and integrity of SSL connections, ensuring that clients do not trust revoked certificates.
This directive can be defined in the http or server context, allowing it to be applied globally or at a specific virtual server level. The parameter for this directive is a single URL, which must be a valid OCSP responder endpoint. The implementation of this directive requires that the OpenSSL library be compiled with support for OCSP. NGINX will leverage this external OCSP service to query the certificate status when necessary during the SSL handshake. The response received from the OCSP responder helps determine whether to accept or reject the client's certificate based on its current status.
Config Example
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/privatekey.pem;
ssl_ocsp_responder http://ocsp.example.com;
}Ensure the URL is accessible from the server where NGINX is running.
Verify that your OpenSSL installation supports OCSP; otherwise, this directive will have no effect.
The OCSP responder must be properly configured and online to respond to queries.