I’m merely another system admin, trying to provide some helpful guidance from my own prior experience.
I’d like to just take a moment to point out that (unless things have quite recently improved a great deal), using either the in-built OCSP stapling functionality for Apache or for nginx is folly.
Seriously, don’t use those. They’ll amplify a momentary glitch fetching an OCSP response into a site outage for you. Promise. Just give them time.
Last time I looked (several months ago) they were finally looking into improving the validation of the responses they got and caching old responses to be held in case they get a later bad response or no response, etc, etc, but they were also discussing things like whether the OCSP fetcher even had to actually be an HTTP/1.1 client. (For what it’s worth, whether or not full true HTTP/1.1 support is actually required, at a minimum the Host: record is essential for getting OCSP responses off the CDNs that are where you’re generally getting the response from.)
It’s great you want to improve security overall by OCSP stapling your TLS sessions. But… Those two pieces of software have completely immature OCSP stapling mechanisms (again, at least as of several months ago.)
Furthermore, even if/when they fix that (either or both of them), it will take SIGNIFICANT time before such improvements in the main line are imported into the builds that your typical Linux distro X is shipping. Probably more than a year. Sometimes years. The downline packagers are looking for critical matters and security FIXes, not enhancements.
If you insist on doing OCSP stapling, run Microsoft’s web server (and who would have thought?!?) or Caddy.
The CDNs (and some CAs) are to blame for OCSP reliability being what it is, but no single element on the Internet is meant to be reliable anyway.
Not all OCSP stapling implementations are equal. Last I looked, Apache’s and NGINX’s were far less equal than others.