CockroachDB Self-Hosted supports Online Certificate Status Protocol (OCSP) for certificate revocation.
To enable certificate revocation using your OCSP service:
- Ensure that your Certificate Authority sets the OCSP server address in the
authorityInfoAccessfield in the certificate.
Set the cluster setting
lax(by default, the cluster setting is set to
> SHOW CLUSTER SETTING security.ocsp.mode;
security.ocsp.mode ---------------------- off (1 row) Server Execution Time: 56µs Network Latency: 181µs
> SET CLUSTER SETTING security.ocsp.mode = lax;
For production clusters, we recommend that you set
strict, but only after verifying the configuration with it set to
strictmode, all certificates are presumed to be invalid if the OCSP server is not reachable. Setting the cluster setting
strictwill lock you out of your CockroachDB database if your OCSP server is unavailable.