Matthias Wächter

Multiple Certificates, OCSP Stapling Result

Discussion created by Matthias Wächter on May 27, 2016
Latest reply on Nov 6, 2016 by Bhushan Lokhande

Now that nginx supports dual certificate configurations, I wonder how OCSP Stapling is supposed to work with it. Beside that I even more wonder how SSL Labs shows the test results. I’d expect a result based on each key/certificate, but there is currently only a single line. For me, it gives a green ‘yes’, but a closer look using testssl.sh shows that OCSP Stapling seems to only work with the ECDSA key and not the RSA key. But perhaps it’s testssl.sh’s fault, who knows.

 

So, the question is: Does a ‘yes’ for OCSP Stapling mean that it was only valid for one certificate (and I even don’t know which cert was used, perhaps the one listed on top), or is it right for all certificates? If it is only valid for one certificate, perhaps this should become a new feature, to list all certificates (at least one for aECDSA and one for aRSA ciphers) and their OCSP Stapling status.

Outcomes