I just ran a quick test at ssllabs.com: got A+, which I'm happy about.
However there's one thing I don't know how to "fix": My site supports OCSP stapling and ssllabs keeps telling me: Chain issues: Contains anchor. I know this is just a "warning" in the sense that it slows down the connection a bit.
nginx config:
..
ssl_certificate public.crt;
ssl_certificate_key private.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate my-chain.pem;
..
Where:
- public.crt is the public certificate I got from StartSSL
- private.key the certificate's private key
- my-chain.pem (ssllabs calls this: "Additional Certificates (if supplied)") consist of:
1.) StartCom Class 1 Primary Intermediate Server CA
2.) StartCom Certification Authority
I found a site which also uses StartCom (StartSSL) certificates, supports OCSP stapling, but does not have the issue described above.
This site's "Additional Certificates":
1.) StartCom Class 1 Primary Intermediate Server CA
I've tried the same: Only put "StartCom Class 1 Primary Intermediate Server CA" to my-chain.pem.
However then ssllabs says: OCSP stapling: No So this seems to completely break OSCP stapling.
Any idea?
Aucun commentaire:
Enregistrer un commentaire