ssl on;
ssl_certificate /my_ssl_folder/ssl.crt;
ssl_certificate_key /my_ssl_key_folder/the.key;
ssl_dhparam /my_dhparam_folder/my_pharam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /another_folder/trust.crt;
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
Protocol Details
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationNo
Insecure Client-Initated RenegotiationNo
BEAST attackMitigated server-side (more info) TLS 1.0: 0xc011
TLS compressionNo
RC4Yes NOT DESIRABLE (more info)
Forward SecrecyYes (with most browsers) ROBUST (more info)
Next Protocol NegotiationYes spdy/2 http/1.1
Session resumption (caching)Yes
Session resumption (tickets)Yes
OCSP staplingYes
Strict Transport SecurityYes max-age=31536000
Long handshake intoleranceNo
TLS extension intoleranceNo
TLS version intoleranceTLS 2.98
SSL 2 handshake compatibilityYes
ssl_certificate = is just your domain crtI use startssl for my server ssl
Here's mine (with OSCP)
Code:ssl on; ssl_certificate /my_ssl_folder/ssl.crt; ssl_certificate_key /my_ssl_key_folder/the.key; ssl_dhparam /my_dhparam_folder/my_pharam.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /another_folder/trust.crt; resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s;
ssl_certificate is just an ssl.crt without intermediate
ssl_trusted_certificate is root certificate (ca.pem) with intermediate (sub.class1.server.ca.pem)
That's what I'm using and it didn't work on mineAs I posted before in the other thread, the following is correct...
- ssl_certificate /etc/ssl/example/unified.crt; (example.com.crt + intermediate.crt)
- ssl_trusted_certificate /etc/ssl/example/trusted.crt; (root.pem + intermediate.crt).
Yes. For StartSSL.ssl_certificate = is just your domain crt
and
ssl_trusted_certificate = root.pem + primary intermediate
That's it?
Yes, that's what I have there.As I posted before in the other thread, the following is correct...
@RoldanLT, if you bought from RapidSSL, your ssl_trusted_certificate should point to a file that contains the following: https://knowledge.rapidssl.com/libr...FILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt
- ssl_certificate /etc/ssl/example/unified.crt; (example.com.crt + intermediate.crt)
- ssl_trusted_certificate /etc/ssl/example/trusted.crt; (root.pem + intermediate.crt).
May I know what's the content of dhparam.pem?Yes. For StartSSL.
If you use different SSL, I afraid you need another configuration.
And dhparam is for forward secrecy
I'm confused, did you get your certificate from StartSSL or RapidSSL? If you're using some files from RapidSSL for a StartSSL certificate (or vice versa), of course you're going to have problems.Yes, that's what I have there.
Still OCSP is not working.
May I know what's the content of dhparam.pem?
Maybe it could help me.
I have startssl also.
dhparam is not really important if your mission is to make OSCP and SSL works fine. It's just for an additional.Yes, that's what I have there.
Still OCSP is not working.
May I know what's the content of dhparam.pem?
Maybe it could help me.
I have startssl also.
openssl dhparam -rand -2048 -out your_dhparam.pem
This is true. Don't mix them.I'm confused, did you get your certificate from StartSSL or RapidSSL? If you're using some files from RapidSSL for a StartSSL certificate (or vice versa), of course you're going to have problems.
I'm using Rapidssl.I'm confused, did you get your certificate from StartSSL or RapidSSL? If you're using some files from RapidSSL for a StartSSL certificate (or vice versa), of course you're going to have problems.
@RoldanLT: what version of nginx are you running?
You mentioned earlier you lost your .key, could you explain what happened/what you've done since then?
Who did you purchase your certificate from (the one you want to use)?
# enable ocsp stapling@Andy.N How did you enable OCSP in your forum?
We use essential cookies to make this site work, and optional cookies to enhance your experience.