Certificate source for OCSP Stapling in Nginx?

D

Dmitry Kinash2015-04-01 13:40:35

Nginx

Dmitry Kinash, 2015-04-01 13:40:35

I received a certificate for the site from the Chinese company WoSign according to instructions from Habr. There was also a recommendation to avoid lengthy requests for certificate confirmation in China to configure OCSP Stapling . I took this article as a base . Everything is clear and understandable, except for the moment - where to get the certificate " root and intermediate CA certificate in PEM format " from.
Does this mean the usual chain of CA certificates, which is already in the certificate received for the site and is already used in the server 's ssl_certificate directive ? Those. is it enough to remove the site's PEM certificate from the received bundle and use it in this form in the ssl_trusted_certificate directive? If this is indeed the case, then why did the creators of NGinx make such a strange duplication mechanism, and not use the data that they already have? Or do you still need some other certificates?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

P

polozad, 2015-04-01
@Dementor

Well, let's take and read the documentation:
What is not clear? ssl_trusted_certificate is only used when OCSP stapling is enabled. And only if root and intermediate are not in ssl_certificate.