Traefik OCSP Documentation

Check certificate status and perform OCSP stapling.

Overview

OCSP Stapling

When OCSP is enabled, Traefik Hub API Gateway checks the status of every certificate in the store that provides an OCSP responder URL, including the default certificate, and staples the OCSP response to the TLS handshake. The OCSP check is performed when the certificate is loaded, and once every hour until it is successful at the halfway point before the update date.

Caching

Traefik Hub API Gateway caches the OCSP response as long as the associated certificate is provided by the configuration. When a certificate is no longer provided, the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed. The OCSP response is cached in memory and is not persisted between Traefik Hub API Gateway restarts.

Configuration

General

It can be defined by using a file (YAML) or Helm chart values:

Install Configuration
Helm Chart Values

## Install configuration
ocsp: {}

# values.yaml
ocsp:
  # Enable OCSP stapling support
  enabled: true

Responder Overrides

The responderOverrides option defines the OCSP responder URLs to use instead of the one provided by the certificate. This is useful when you want to use a different OCSP responder.

Install Configuration
Helm Chart Values

## Install configuration
ocsp:
  responderOverrides:
    example.com: http://ocsp.example.com

# values.yaml
ocsp:
  enabled: true
  # Defines the OCSP responder URLs to use instead of the one provided by the certificate
  responderOverrides:
    example.com: http://ocsp.example.com

Overview​

OCSP Stapling​

Caching​

Configuration​

General​

Responder Overrides​