SSL stapling, also called OCSP (Online Certificate Status Protocol) stapling, is a technique allowing clients to easily connect and resume sessions to an SSL/TLS server without having to contact the certificate authority, thus reducing SSL negotiation times. In normal OCSP transactions, the client contacts the certificate authority so as to check the revocation status of the server's certificate. In the case of high traffic websites, this can cause huge stress on CA servers. An intermediary solution was designed: stapling. The OCSP record is obtained from the CA by your server itself periodically, and stapled to exchanges with the client. The OCSP record is cached by your server for a period of up to 48 hours in order to limit communications with the CA.

Enabling SSL stapling should thus speed up communications between your visitors and your server. Achieving this in Nginx is relatively simple: all you really need is to insert three directives in your server block and obtain a full trusted certificate chain file (containing both the root and intermediate certificates) from your CA:

• ssl_stapling on: Enables SSL stapling within the server block
• ssl_stapling_verify on: Enables verification of OCSP responses by the server
• ssl_trusted_certificate filename: Where filename is the path of your full trusted certificate file (extension should be .pem)

Two optional directives also exist, allowing you to modify the behavior of this module:

• ssl_stapling_file filename: Where filename is the path of a cached OCSP record, overriding the record provided by the OCSP responder specified in the certificate file
• ssl_stapling_responder url: Where url is the URL of your CA's OCSP responder, overriding the URL specified in the certificate file.

If you are having issues connecting to the OCSP responder, make sure your Nginx configuration contains a valid DNS resolver (using the resolver directive).