Skip to main content
CockroachDB self-hosted supports Online Certificate Status Protocol (OCSP) for certificate revocation. Read more about . To enable certificate revocation using your OCSP service:
  1. Ensure that your Certificate Authority sets the OCSP server address in the authorityInfoAccess field in the certificate.
  2. security.ocsp.mode to lax (by default, the cluster setting is set to off).
    For production clusters, we recommend that you set security.ocsp.mode to strict, but only after verifying the configuration with it set to lax.
In the strict mode, all certificates are presumed to be invalid if the OCSP server is not reachable. Setting the cluster setting security.ocsp.mode to strict will lock you out of your CockroachDB database if your OCSP server is unavailable.