Nginx; how to use OCSP to verify the SSL client certificate

Asked 5/12, 2015 at 8:21 Answered 26/5, 2020 at 19:31

I am using Nginx to create a secure connection; when I revoked the client certificate, I also can connect to Nginx by https, I know I should config the ssl_crl directives, but I want to use OCSP to verify the client certificate, How should I do? I found Nginx use OpenSSL library to establish ssl connection, Is there something I should do with openssl.cnf file?

Singlefoot answered 5/12, 2015 at 8:21 Comment(0)

Client certificate validation with OCSP feature has been added to nginx 1.19.0+. For example:

ssl_verify_client on;
ssl_ocsp on;
resolver 192.0.2.1;

ssl_ocsp enables OCSP validation of the client certificate chain.
ssl_ocsp leaf; enables validation of the client certificate only. By default ssl_ocsp is set to off. ssl_verify_client directive should be set to on or optional for the OCSP validation to work resolver should be specified to resolve the OCSP responder hostname.

Tahiti answered 26/5, 2020 at 19:31 Comment(0)

Update
Nginx added support for client certificate validation with OCSP in version 1.19.0, released 26 May 2020. See ssl_ocsp and related directives.

Original answer
Nginx does not support OCSP validation of client certificates. The only option of validating client certificates is to use CRLs, update them and reload Nginx to apply the changes.

In this thread one of the leading Nginx developers confirms that and says that nobody is working on it as of 2014: https://forum.nginx.org/read.php?2,238506,245962

Fizzy answered 25/6, 2017 at 0:36 Comment(2)

There is a ticket now: trac.nginx.org/nginx/ticket/1534 Please mark this as the accepted answer. – Verily 18/2, 2020 at 0:58

it's supported as of now, pls delete the post! – Nevadanevai 22/4, 2021 at 12:51

Prerequirements:

running pki with OCSP configured

NginX Server config

    # Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
    # The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used. 
    ssl_client_certificate /etc/nginx/client_certs/ca.crt;
    ssl_verify_client on;
    ssl_stapling on; #Yes this has to be configured to use OCSP
    resolver 192.0.2.1;

information on ssl_verify_client
informations on ssl_client_certificate

Allred answered 29/8, 2019 at 16:55 Comment(1)

I don't think this verifies the client certificate, but rather allows the client to verify the server certificate using OCSP. The ticket is here: trac.nginx.org/nginx/ticket/1534 – Verily 18/2, 2020 at 0:51

-5

This is just a sample of how the code should look like in your server block:

 server {

   # Listen on port 443
   listen   443 default_server;
   server_name example.com;

   root /path/to/site-content/;
   index index.html index.htm;

   # Turn on SSL; Specify certificate & keys
   ssl on;
   ssl_certificate /etc/nginx/ssl/example.com/my_certificate.crt;
   ssl_certificate_key /etc/nginx/ssl/example.com/example.key;

   # Enable OCSP Stapling, point to certificate chain
   ssl_stapling on;
   ssl_stapling_verify on;
   ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem;

  }

make sure the certificates match your paths, and then Save your work.

Test your configuration before reloading...

and last, restart or reload Nginx by either of the following commands:

sudo service nginx reload

sudo service nginx restart

Final step, test your OCSP Stapling through this link to make sure your SSL is working or not:

OCSP Stapling SSL Checker

Tlingit answered 31/1, 2016 at 15:20 Comment(1)

OP says about verifying client certificate by OCSP. OCSP Stapling is completely irrelevant with this. OCSP Stapling is about saving OCSP verify requests on client side. – Multiphase 30/8, 2016 at 14:24

Prerequirements:

NginX Server config

Recommended topics

Hot tags