OCSP Stapling

OCSP Stapling is honored by default for certificates that have the .

When a certificate is configured with OCSP Must-Staple, the NATS Server will fetch staples from the configured OCSP responder URL that is present in a certificate. For example, given a certificate with the following configuration:

The NATS server will make a request to the OCSP responder to fetch a new staple which will then be presented to any TLS connection that is accepted by the server during the TLS handshake.

Note: When OCSP Stapling is disabled, the NATS Server will not request staples even if the certificate has the Must-Staple flag.

By default, the NATS Server will be running in OCSP mode. In this mode the server will only fetch staples when the Must-Staple flag is configured in the certificate.

There are other OCSP modes that control the behavior as to whether OCSP should be enforced and the server should shutdown if the certificate runs with a revoked staple:

If staples are always required, regardless of the configuration of the certificate, you can enforce the behavior as follows:

Caching of Staples

When a is configured in the NATS Server, the directory will be used to cache staples on disk to allow the server to resume in case of restarts without having to make another request to the OCSP responder if the staple is still valid.

If JetStream is enabled, then the same store_dir will be reused and disk caching will be automatically enabled.