0

Nginx lets us use multiple certificates so that we can use both ECC and RSA certificates

ssl_certificate /etc/ssl/example.com.combined.crt;
ssl_certificate_key /etc/ssl/example.com.key;
ssl_certificate /etc/ssl/example.com-ecc.combined.crt;
ssl_certificate_key /etc/ssl/example.com-ecc.key;

However, it only lets us specify a single trusted certificate to use for OCSP stapling:

ssl_trusted_certificate /etc/ssl/ocsp-bundle-rsa-ecc.crt;

Clearly we need to give it both chains of intermediate & root certs, but I can't find any documentation on whether it's supported at all, or what order these certs should be in, i.e. whether it should be:

  • intermediate1
  • root1
  • intermediate2
  • root2

or

  • intermediate1
  • intermediate2
  • root1
  • root2

or, if they need to share a root (some ECC certs are signed using an RSA root):

  • intermediate1
  • intermediate2
  • root

or simply whether it's not possible to do OCSP with dual format certificates in nginx.

How should this certificate bundle be constructed?

Synchro
  • 3,148
  • 6
  • 27
  • 38

1 Answers1

1

I did a quick research, and it seems the easiest answer to this "you don't build it" and it will just work :)

OSCP stapling may work fine without ssl_trusted certificate as long as..

  • Your OS trusted root CA store is up-to-date (think ca-certificates in RedHat)
  • You have ssl_stapling on; and ssl_stapling_verify on;
  • Each of your certificate (ECC and RSA based) includes full chain except for root CA

nginx docs are clear that only...

If the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file

You can actually check your stuff in SSL Labs test to confirm this - OSCP stapling does work fine without ssl_trusted_certificate.

So dual certificates can have working OSCP if you simply ensure best practices of placing both certificate itself and its intermediate certificate in the file defined in ssl_certificate and having up-to-date root CAs in your system.

Danila Vershinin
  • 5,286
  • 5
  • 17
  • 21