OCSP

Check certificate status and perform OCSP stapling.

Overview

OCSP Stapling

When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL, including the default certificate, and staples the OCSP response to the TLS handshake. The OCSP check is performed when the certificate is loaded, and once every hour until it is successful at the halfway point before the update date.

Caching

Traefik caches the OCSP response as long as the associated certificate is provided by the configuration. When a certificate is no longer provided, the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed. The OCSP response is cached in memory and is not persisted between Traefik restarts.

Configuration

General

Enabling OCSP is part of the static configuration. It can be defined by using a file (YAML or TOML) or CLI arguments:

File (YAML)

## Static configuration
ocsp: {}

File (TOML)

## Static configuration
[ocsp]

CLI

## Static configuration
--ocsp=true

Responder Overrides

The responderOverrides option defines the OCSP responder URLs to use instead of the one provided by the certificate. This is useful when you want to use a different OCSP responder.

File (YAML)

## Static configuration
ocsp:
  responderOverrides:
    foo: bar

File (TOML)

## Static configuration
[ocsp]
  [ocsp.responderOverrides]
    foo = "bar"

CLI

## Static configuration
-ocsp.responderoverrides.foo=bar