Update
The Nginx documentation says the following:
For the OCSP stapling to work, the certificate of the server certificate issuer should be known. If the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file.
So we don't need to specify ssl_trusted_certificate
, because Let's Encrypt creates fullchain.pem
containing all certificates and we use that for ssl_certificate
already.
================================
I'm wondering specifying ssl_trusted_certificate
actually makes a difference. I only specified the following using Nginx 1.9.9:
ssl_certificate
withfullchain.pem
ssl_certificate_key
withprivkey.pem
ssl_stapling on
ssl_stapling_verify on
Still, the command openssl s_client -connect <domain.com>:443 -tls1 -tlsextdebug -status
gives me a successful OCSP response for my domain. Adding ssl_trusted_certificate
does not seem to change the output of openssl. Is it somehow more efficient to specify ssl_trusted_certificate
or is it unnecessary?