Nagios/Icinga plugin for monitoring stapled OCSP responses


check_ocsp_stapling is a plugin for Nagios/Icinga that helps with monitoring TLS servers implementing OCSP stapling. The script verifies that a TLS server provides a OCSP response that is not expired and reports a good (non-revoked) certificate status.

The script is largely based on check_ssl_certificate by David Alden.

Default Behaviour

By default, check_ocsp_stapling begins to warn when the stapled OCSP response is valid for less than 36 hours from the current time and will go to a critical state at less than 24 hours.

These values can be changed using the -w and -c command-line options. To find an appropriate value for your CA, observe the Last Update and Next Update values the CA uses in their OCSP responses. Publicly-trusted CAs may use a maximum expiration time of ten days and should update their OCSP responses at least every four days (as of version 1.3.5 of the CA/B Forum Baseline Requirements).

Sample Configuration


define host {
    use                generic-host
    alias              Some Remote Host

define command {
    name            check_ocsp_stapling
    command_name    check_ocsp_stapling
    command_line    /path/to/nagios/plugins/check_ocsp_stapling -H $HOSTADDRESS$ $ARG1$

define service {
    use                 generic-service
    service_description OCSP Stapling
    check_command       check_ocsp_stapling
    # to use any of the optional arguments, use this syntax:
    # check_command       check_ocsp_stapling!-w 48


object Host "" {
  address = ""
  # to use any of the optional arguments, use this syntax:
  # vars.port = 443
  # vars.warning = 240

object CheckCommand "check_ocsp_stapling" {
  command = [ PluginDir + "/check_ocsp_stapling" ]

  arguments = {
    "-H" = "$address$"
    "-a" = "$add$"
    "-c" = "$critical$"
    "-w" = "$warning$"
    "-p" = "$port$"

object Service " OCSP Stapling" {
  host_name = ""
  check_command = "check_ocsp_stapling"


Usage: check_ocsp_stapling -H  [-p ] [-c ] [-w ]

-a    add the text to the openssl line, used for checking OCSP stapling
           with starttls ("-a '-starttls smtp'")
-c    exit with CRITICAL status if number of hours left is less than 
-h         show this help script
-H   check OCSP stapling on the indicated host
-o   path to openssl binary
-p   check OCSP stapling on the specified port
-w    exit with WARNING status if number of hours left is less than 
-V         show version and license information


Please report any issues you might encounter on GitHub. Pull requests are welcome!