Using Online Certificate Status Protocol (OCSP) with CockroachDB

On this page Carat arrow pointing down
Warning:
GA releases for CockroachDB v23.1 are no longer supported. Cockroach Labs will stop providing LTS Assistance Support for v23.1 LTS releases on November 13, 2025. Prior to that date, upgrade to a more recent version to continue receiving support. For more details, refer to the Release Support Policy.

CockroachDB Self-Hosted supports Online Certificate Status Protocol (OCSP) for certificate revocation.

Read more about Public Key Infrastructure (PKI) and Transport Layer Security (TLS) in CockroachDB.

To enable certificate revocation using your OCSP service:

  1. Ensure that your Certificate Authority sets the OCSP server address in the authorityInfoAccess field in the certificate.
  2. Set the cluster setting security.ocsp.mode to lax (by default, the cluster setting is set to off).

    icon/buttons/copy

      > SHOW CLUSTER SETTING security.ocsp.mode;
    
      security.ocsp.mode
      ----------------------
      off
      (1 row)
    
      Server Execution Time: 56µs
      Network Latency: 181µs
    

    icon/buttons/copy

      > SET CLUSTER SETTING security.ocsp.mode = lax;
    

    For production clusters, we recommend that you set security.ocsp.mode to strict, but only after verifying the configuration with it set to lax.

    Note:
    In the strict mode, all certificates are presumed to be invalid if the OCSP server is not reachable. Setting the cluster setting security.ocsp.mode to strict will lock you out of your CockroachDB database if your OCSP server is unavailable.


Yes No
On this page

Yes No