NATS Docs
NATS.ioTwitterSlackGitHub
Search…
Welcome
Release Notes
What's New!
NATS Concepts
Overview
What is NATS
Subject-Based Messaging
Core NATS
JetStream
Subject Mapping and Traffic Shaping
NATS Service Infrastructure
Security
Connectivity
Using NATS
NATS Tools
Developing With NATS
Running a NATS service
Installing, running and deploying a NATS Server
NATS and Docker
NATS and Kubernetes
NATS Server Clients
Configuring NATS Server
Configuring JetStream
Clustering
Super-cluster with Gateways
Leaf Nodes
Securing NATS
Enabling TLS
Authentication
Authorization
Multi Tenancy using Accounts
OCSP Stapling
Logging
Enabling Monitoring
MQTT
Configuring Subject Mapping
System Events
WebSocket
Managing and Monitoring your NATS Server Infrastructure
Reference
FAQ
NATS Protocols
Legacy
STAN aka 'NATS Streaming'
nats-account-server
Powered By GitBook
OCSP Stapling
Supported since NATS Server version 2.3
​OCSP Stapling is honored by default for certificates that have the status_request Must-Staple flag.
When a certificate is configured with OCSP Must-Staple, the NATS Server will fetch staples from the configured OCSP responder URL that is present in a certificate. For example, given a certificate with the following configuration:
1
[ ext_ca ]
2
...
3
authorityInfoAccess = OCSP;URI:http://ocsp.example.net:80
4
tlsfeature = status_request
5
...
Copied!
The NATS server will make a request to the OCSP responder to fetch a new staple which will then be presented to any TLS connection that is accepted by the server during the TLS handshake.
OCSP Stapling can be explicitly enabled or disabled in the NATS Server by setting the following flag in the NATS configuration file at the top-level:
1
ocsp: false
Copied!
Note: When OCSP Stapling is disabled, the NATS Server will not request staples even if the certificate has the Must-Staple flag.

Advanced Configuration

By default, the NATS Server will be running in OCSP auto mode. In this mode the server will only fetch staples when the Must-Staple flag is configured in the certificate.
There are other OCSP modes that control the behavior as to whether OCSP should be enforced and the server should shutdown if the certificate runs with a revoked staple:
Mode
Description
Server shutdowns when revoked
auto
Enables OCSP Stapling when the certificate has the must staple/status_request flag
No
must
Enables OCSP Staping when the certificate has the must staple/status_request flag
Yes
always
Enables OCSP Stapling for all certificates
Yes
never
Disables OCSP Stapling even if must staple flag is present (same as ocsp: false)
No
For example, in the following OCSP configuration, the mode is set to must. This means that staples will be fetched only for certificates that have the Must-Staple flag enabled as well, but in case of revocation the server will shutdown rather than run with a revoked staple. In this configuration, the url will also override the OCSP responder URL that may have been configured in the certificate.
1
ocsp {
2
mode: must
3
url: "http://ocsp.example.net"
4
}
Copied!
If staples are always required, regardless of the configuration of the certificate, you can enforce the behavior as follows:
1
ocsp {
2
mode: always
3
url: "http://ocsp.example.net"
4
}
Copied!

Caching of Staples

When a store_dir is configured in the NATS Server, the directory will be used to cache staples on disk to allow the server to resume in case of restarts without having to make another request to the OCSP responder if the staple is still valid.
1
ocsp: true
2
​
3
store_dir: "/path/to/store/dir"
4
​
5
tls {
6
cert_file: "configs/certs/ocsp/server-status-request-url.pem"
7
key_file: "configs/certs/ocsp/server-status-request-url-key.pem"
8
ca_file: "configs/certs/ocsp/ca-cert.pem"
9
timeout: 5
10
}
Copied!
If JetStream is enabled, then the same store_dir will be reused and disk caching will be automatically enabled.
Previous
Multi Tenancy using Accounts
Next
Logging
Last modified 5mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Advanced Configuration
Caching of Staples