We achieve OCSP stapling = Yes for certificates from WoSign on Nginx
Good day, Habrazhiteli.
After reading articles # 1 and # 2 (about free SSL certificates from Chinese friends of WoSign, I was faced with the fact that many people cannot achieve OCSP stapling = Yes for these certificates.
I want to tell you how I achieved it.
We received a certificate WoSign, uploaded to the server.
And so, let's get started.
Firstly, we get intermediate certificates.
Secondly, we add to Nginx conjurets
')
Thirdly, in the domain konyagi we write the following for the 443 port in the server section:
And finally - restart Nginx
Now, when checking on the SSL tester, we see the result of A + and OCSP stapling enabled.
You can also check it right on the server with the command
If the result is the following,
Here are the results of my blog test
In the comments to the above articles were attempts (very similar to mine), but unsuccessful.
I do not impose free certificates, but still if I don’t want to pay, use it!
Thank.
After reading articles # 1 and # 2 (about free SSL certificates from Chinese friends of WoSign, I was faced with the fact that many people cannot achieve OCSP stapling = Yes for these certificates.
I want to tell you how I achieved it.
We received a certificate WoSign, uploaded to the server.
And so, let's get started.
Firstly, we get intermediate certificates.
cd /path/to/your/ssl/ wget -O - https://www.startssl.com/certs/ca.pem | tee -a ca-certs.pem > /dev/null wget -O - https://www.startssl.com/certs/sub.class1.server.ca.pem | tee -a ca-certs.pem > /dev/null wget -O - http://aia.startssl.com/certs/ca.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null wget -O - http://aia1.wosign.com/ca1g2-server1-free.cer | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null wget -O - http://aia6.wosign.com/ca6.server1.free.cer | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem > /dev/null Secondly, we add to Nginx conjurets
######################################################### # # ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate "/path/to/your/ssl/ca-certs.pem"; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # # ######################################################### ')
Thirdly, in the domain konyagi we write the following for the 443 port in the server section:
ssl on; ssl_certificate /path/to/your/ssl/ssl.crt; ssl_certificate_key /path/to/your/ssl/ssl.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'HIGH:!aNULL:!MD5:!kEDH'; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; And finally - restart Nginx
service nginx restart Now, when checking on the SSL tester, we see the result of A + and OCSP stapling enabled.
You can also check it right on the server with the command
openssl s_client -connect YourDomain.com:443 -tls1 -tlsextdebug -status If the result is the following,
it means everything is great!
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder (G2)
Produced At: Mar 27 14:30:05 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A06661F16CBCC23E98BC71914830B85AAA8D0A6B
Issuer Key Hash: D2A716207CAFD9959EEB430A19F2E0B9740EA8C7
Serial Number: 4C306486969BCBC1AE555A1D8C117B87
Cert Status: good
This Update: Mar 27 14:30:05 2015 GMT
Next Update: Mar 29 14:30:05 2015 GMT
Signature Algorithm: sha1WithRSAEncryption
7c: d8: e8: 28: 37: a3: 2b: 44: d2: 30: f3: e5: a6: fa: 9d: ff: 1c: 4a:
d9: 33: 43: a2: 75: d6: f5: da: a1: 47: f4: 46: 22: af: a2: 54: a8: 30:
cb: c8: 6a: f9: 1f: 85: 18: ee: c1: 70: 43: c9: 08: 61: cb: eb: b1: d6:
42: 70: 0f: e4: 7b: dc: 81: fb: f5: 47: d1: 02: b9: f4: bb: e4: 5d: 32:
57: 75: 8e: ca: 15: 95: 4c: 50: f3: 2b: 8f: 94: ab: 53: 2d: a7: 0a: b0:
3e: ab: d4: 2b: fa: f1: 8c: 2e: 00: 46: e5: 9b: d3: 31: 9f: e6: 54: 9d:
35: eb: 20: 95: b4: 1a: 12: 7c: 58: f2: f3: 38: 6b: fb: a6: 1f: 3c: cf:
fa: bc: f2: bb: 92: e8: b0: 41: 37: 84: 31: ca: 8c: 44: 73: 60: 8c: 2f:
60: 1f: 7c: 97: a8: 7f: f0: b2: b3: 8f: 68: ce: 3c: 1d: 9d: 91: c9: 88:
a7: bc: 6e: 91: 93: 68: de: 6b: 84: 91: 3e: 34: 7c: 46: de: eb: 71: 9a:
76: f7: f8: 87: d1: be: 12: 1b: 7a: f0: 3c: 37: 98: 41: 92: 7a: 6c: 40:
87: 3f: a1: f5: ef: d7: a3: 1e: d2: 34: 3b: 5d: f5: de: b9: a7: 1d: a8:
da: f6: c0: 2e: 19: 6f: e7: 9c: 96: 78: 3e: c7: a1: 9d: f8: 9d: 09: 81:
f0: 5d: 16: be: 53: 0c: cb: 82: 28: 05: 08: b2: cd: d6: 5d: 46: 3c: ea:
cd: a1: e7: 55
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder (G2)
Produced At: Mar 27 14:30:05 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A06661F16CBCC23E98BC71914830B85AAA8D0A6B
Issuer Key Hash: D2A716207CAFD9959EEB430A19F2E0B9740EA8C7
Serial Number: 4C306486969BCBC1AE555A1D8C117B87
Cert Status: good
This Update: Mar 27 14:30:05 2015 GMT
Next Update: Mar 29 14:30:05 2015 GMT
Signature Algorithm: sha1WithRSAEncryption
7c: d8: e8: 28: 37: a3: 2b: 44: d2: 30: f3: e5: a6: fa: 9d: ff: 1c: 4a:
d9: 33: 43: a2: 75: d6: f5: da: a1: 47: f4: 46: 22: af: a2: 54: a8: 30:
cb: c8: 6a: f9: 1f: 85: 18: ee: c1: 70: 43: c9: 08: 61: cb: eb: b1: d6:
42: 70: 0f: e4: 7b: dc: 81: fb: f5: 47: d1: 02: b9: f4: bb: e4: 5d: 32:
57: 75: 8e: ca: 15: 95: 4c: 50: f3: 2b: 8f: 94: ab: 53: 2d: a7: 0a: b0:
3e: ab: d4: 2b: fa: f1: 8c: 2e: 00: 46: e5: 9b: d3: 31: 9f: e6: 54: 9d:
35: eb: 20: 95: b4: 1a: 12: 7c: 58: f2: f3: 38: 6b: fb: a6: 1f: 3c: cf:
fa: bc: f2: bb: 92: e8: b0: 41: 37: 84: 31: ca: 8c: 44: 73: 60: 8c: 2f:
60: 1f: 7c: 97: a8: 7f: f0: b2: b3: 8f: 68: ce: 3c: 1d: 9d: 91: c9: 88:
a7: bc: 6e: 91: 93: 68: de: 6b: 84: 91: 3e: 34: 7c: 46: de: eb: 71: 9a:
76: f7: f8: 87: d1: be: 12: 1b: 7a: f0: 3c: 37: 98: 41: 92: 7a: 6c: 40:
87: 3f: a1: f5: ef: d7: a3: 1e: d2: 34: 3b: 5d: f5: de: b9: a7: 1d: a8:
da: f6: c0: 2e: 19: 6f: e7: 9c: 96: 78: 3e: c7: a1: 9d: f8: 9d: 09: 81:
f0: 5d: 16: be: 53: 0c: cb: 82: 28: 05: 08: b2: cd: d6: 5d: 46: 3c: ea:
cd: a1: e7: 55
Here are the results of my blog test
In the comments to the above articles were attempts (very similar to mine), but unsuccessful.
I do not impose free certificates, but still if I don’t want to pay, use it!
Thank.
Source: https://habr.com/ru/post/254231/
All Articles