On this page
CockroachDB Self-Hosted supports Online Certificate Status Protocol (OCSP) for certificate revocation.
Read more about Public Key Infrastructure (PKI) and Transport Layer Security (TLS) in CockroachDB.
To enable certificate revocation using your OCSP service:
- Ensure that your Certificate Authority sets the OCSP server address in the
authorityInfoAccess
field in the certificate. Set the cluster setting
security.ocsp.mode
tolax
(by default, the cluster setting is set tooff
).> SHOW CLUSTER SETTING security.ocsp.mode;
security.ocsp.mode ---------------------- off (1 row) Server Execution Time: 56µs Network Latency: 181µs
> SET CLUSTER SETTING security.ocsp.mode = lax;
For production clusters, we recommend that you set
security.ocsp.mode
tostrict
, but only after verifying the configuration with it set tolax
.Note:In thestrict
mode, all certificates are presumed to be invalid if the OCSP server is not reachable. Setting the cluster settingsecurity.ocsp.mode
tostrict
will lock you out of your CockroachDB database if your OCSP server is unavailable.