So recently GlobalSign, DigiCert, and Comodo worked together with Nginx to get OCSP stapling supoported in Nginx 1.3.7, unfortunately architectural restrictions made it impractical to make it so that pre-fetching the OCSP response on server start-up so instead the first connection to the server primes the cache that is used for later connections.
This is a fine compromise but what if you really want the first connection to have the benefit too? Well there are two approaches you can take:
- Right after you start the server you do a SSL request to prime the cache.
- You manually get the ocsp response and plumb it where Nginx is looking for it.
The first model is easy, right after you start your server use the OpenSSL s_client to connect to the server with OCSP stapling enabled just like I documented in this post, the first request will trigger the retrieval of the OCSP response by Nginx.
URL=$(openssl x509 -in $SERVER_CER -text | grep “OCSP – URI:” | cut -d: -f2,3)
openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer \
$ISSUER_CER -cert $SERVER_CER -url $URL
Where “ocsp.resp” is whatever file you have configured in Nginx for the “ssl_stapling_file“.
Each approach has its pros and cons, for example with the first approach your execution of the s_client call may not be the first request the server sees, with the second approach if you are using a certificate that doesn’t contain a OCSP pointer and have manually told Nginx where to fetch certificate status from then it won’t work.
It is worth noting you can run this same script in a cron script to ensure your server never needs to hit the wire (and potentially block when doing so) when it tries to keep its OCSP cache up to date.