How to: OCSP Stapling on WP Engine

How to: OCSP Stapling on WP Engine

Online Certificate Status Protocol, or OCSP for short, is a standard validating the whether an X.509 certificate has been revoked or not. OCSP Stapling removes the need for clients to query the Certificate Authority (CA) on lookup which improves performance and security at the SSL level.

If you’re already routing through Cloudflare and are using their one of their Universal Certificates, you already have OCSP Stapling enabled. DigiCert have a neat tool you can use to check here.

A successful result looks like this:

You can also check from your terminal with:

openssl s_client -connect -servername WWW.YOURDOMAIN.COM -status

Be sure to replace and YOURDOMAIN.COM with your actual server IP address and domain. A successful response should be OCSP Response Status: successful (0x0).

If you’re not using Cloudflare with WP Engine, you are most likely using a Let's Encrypt certificate. If you were to run that test from your terminal, you’d probably see OCSP response: no response sent.

The first thing you’ll need to do is grab the root certificate from Let’s Encrypt here. It will look something like this:

Copy and paste certificate into a new file called root.pem and upload that over SFTP to /_wpeprivate on your WP Engine site.

To finish this off, you need to add a few lines to your nginx config. Although you can’t do this directly on WP Engine, just pop into live chat and ask them to add the following to the Before-SSL block:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /nas/content/live/YOURINSTALLNAME/_wpeprivate/root.pem;

Remember to put your actual install name instead of YOURINSTALLNAME on the last line. Once it’s added and the server configuration is regenerated – run the above test again to be sure.

You should be all set!

IMPORTANT NOTE: Be aware that if you get the path to the .pem wrong or delete the .pem file, the rule with break your nginx configuration and lead to serious problems.