]>
Commit | Line | Data |
---|---|---|
b4b1bdd5 | 1 | =pod |
625c781d | 2 | {- OpenSSL::safe::output_do_not_edit_headers(); -} |
9fcb9702 | 3 | |
b4b1bdd5 DSH |
4 | =head1 NAME |
5 | ||
4b537191 | 6 | openssl-ocsp - Online Certificate Status Protocol command |
b4b1bdd5 DSH |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
49119647 DMSP |
10 | =head2 OCSP Client |
11 | ||
b4b1bdd5 | 12 | B<openssl> B<ocsp> |
169394d4 | 13 | [B<-help>] |
e8769719 RS |
14 | [B<-out> I<file>] |
15 | [B<-issuer> I<file>] | |
16 | [B<-cert> I<file>] | |
17 | [B<-serial> I<n>] | |
18 | [B<-signer> I<file>] | |
19 | [B<-signkey> I<file>] | |
20 | [B<-sign_other> I<file>] | |
49119647 DMSP |
21 | [B<-nonce>] |
22 | [B<-no_nonce>] | |
b4b1bdd5 DSH |
23 | [B<-req_text>] |
24 | [B<-resp_text>] | |
25 | [B<-text>] | |
49119647 | 26 | [B<-no_certs>] |
e8769719 RS |
27 | [B<-reqout> I<file>] |
28 | [B<-respout> I<file>] | |
29 | [B<-reqin> I<file>] | |
30 | [B<-respin> I<file>] | |
e8769719 | 31 | [B<-url> I<URL>] |
2f0ea936 | 32 | [B<-host> I<host>:I<port>] |
46aa6078 | 33 | [B<-header>] |
65718c51 | 34 | [B<-timeout> I<seconds>] |
b4b1bdd5 | 35 | [B<-path>] |
e8769719 RS |
36 | [B<-VAfile> I<file>] |
37 | [B<-validity_period> I<n>] | |
38 | [B<-status_age> I<n>] | |
bfcec27d | 39 | [B<-noverify>] |
e8769719 | 40 | [B<-verify_other> I<file>] |
cc5ba6a7 DSH |
41 | [B<-trust_other>] |
42 | [B<-no_intern>] | |
e5b0508a | 43 | [B<-no_signature_verify>] |
cc5ba6a7 DSH |
44 | [B<-no_cert_verify>] |
45 | [B<-no_chain>] | |
46 | [B<-no_cert_checks>] | |
384dee51 | 47 | [B<-no_explicit>] |
e8769719 | 48 | [B<-port> I<num>] |
bbe9c3d5 | 49 | [B<-ignore_err>] |
49119647 DMSP |
50 | |
51 | =head2 OCSP Server | |
52 | ||
53 | B<openssl> B<ocsp> | |
e8769719 RS |
54 | [B<-index> I<file>] |
55 | [B<-CA> I<file>] | |
56 | [B<-rsigner> I<file>] | |
57 | [B<-rkey> I<file>] | |
1cf20ca3 | 58 | [B<-passin> I<arg>] |
e8769719 RS |
59 | [B<-rother> I<file>] |
60 | [B<-rsigopt> I<nm>:I<v>] | |
65718c51 RS |
61 | [B<-rmd> I<digest>] |
62 | [B<-badsig>] | |
e5b0508a | 63 | [B<-resp_no_certs>] |
e8769719 RS |
64 | [B<-nmin> I<n>] |
65 | [B<-ndays> I<n>] | |
e5b0508a | 66 | [B<-resp_key_id>] |
e8769719 | 67 | [B<-nrequest> I<n>] |
49119647 | 68 | [B<-multi> I<process-count>] |
e8769719 | 69 | [B<-rcid> I<digest>] |
8dc57d76 | 70 | [B<-I<digest>>] |
9fcb9702 | 71 | {- $OpenSSL::safe::opt_trust_synopsis -} |
21d08b9e | 72 | {- $OpenSSL::safe::opt_v_synopsis -} |
6bd4e3f2 | 73 | {- $OpenSSL::safe::opt_provider_synopsis -} |
b4b1bdd5 | 74 | |
9f3c076b | 75 | =for openssl ifdef multi |
1738c0ce | 76 | |
b4b1bdd5 DSH |
77 | =head1 DESCRIPTION |
78 | ||
a068630a UM |
79 | The Online Certificate Status Protocol (OCSP) enables applications to |
80 | determine the (revocation) state of an identified certificate (RFC 2560). | |
81 | ||
35a810bb | 82 | This command performs many common OCSP tasks. It can be used |
b4b1bdd5 | 83 | to print out requests and responses, create requests and send queries |
534a1ed0 | 84 | to an OCSP responder and behave like a mini OCSP server itself. |
b4b1bdd5 | 85 | |
3dfda1a6 | 86 | =head1 OPTIONS |
0634424f RS |
87 | |
88 | This command operates as either a client or a server. | |
89 | The options are described below, divided into those two modes. | |
90 | ||
91 | =head2 OCSP Client Options | |
b4b1bdd5 DSH |
92 | |
93 | =over 4 | |
94 | ||
169394d4 MR |
95 | =item B<-help> |
96 | ||
97 | Print out a usage message. | |
98 | ||
e8769719 | 99 | =item B<-out> I<filename> |
b4b1bdd5 DSH |
100 | |
101 | specify output filename, default is standard output. | |
102 | ||
e8769719 | 103 | =item B<-issuer> I<filename> |
b4b1bdd5 DSH |
104 | |
105 | This specifies the current issuer certificate. This option can be used | |
6d382c74 DDO |
106 | multiple times. |
107 | This option B<MUST> come before any B<-cert> options. | |
b4b1bdd5 | 108 | |
e8769719 | 109 | =item B<-cert> I<filename> |
b4b1bdd5 | 110 | |
2f0ea936 RL |
111 | Add the certificate I<filename> to the request. The issuer certificate |
112 | is taken from the previous B<-issuer> option, or an error occurs if no | |
b4b1bdd5 DSH |
113 | issuer certificate is specified. |
114 | ||
e8769719 | 115 | =item B<-serial> I<num> |
b4b1bdd5 | 116 | |
2f0ea936 | 117 | Same as the B<-cert> option except the certificate with serial number |
bfcec27d | 118 | B<num> is added to the request. The serial number is interpreted as a |
a43384fd RL |
119 | decimal integer unless preceded by C<0x>. Negative integers can also |
120 | be specified by preceding the value by a C<-> sign. | |
b4b1bdd5 | 121 | |
e8769719 | 122 | =item B<-signer> I<filename>, B<-signkey> I<filename> |
b4b1bdd5 | 123 | |
2f0ea936 RL |
124 | Sign the OCSP request using the certificate specified in the B<-signer> |
125 | option and the private key specified by the B<-signkey> option. If | |
126 | the B<-signkey> option is not present then the private key is read | |
b4b1bdd5 DSH |
127 | from the same file as the certificate. If neither option is specified then |
128 | the OCSP request is not signed. | |
129 | ||
e8769719 | 130 | =item B<-sign_other> I<filename> |
e5b0508a DSH |
131 | |
132 | Additional certificates to include in the signed request. | |
b3c5aadf | 133 | The input can be in PEM, DER, or PKCS#12 format. |
e5b0508a | 134 | |
b4b1bdd5 DSH |
135 | =item B<-nonce>, B<-no_nonce> |
136 | ||
137 | Add an OCSP nonce extension to a request or disable OCSP nonce addition. | |
2f0ea936 RL |
138 | Normally if an OCSP request is input using the B<-reqin> option no |
139 | nonce is added: using the B<-nonce> option will force addition of a nonce. | |
140 | If an OCSP request is being created (using B<-cert> and B<-serial> options) | |
141 | a nonce is automatically added specifying B<-no_nonce> overrides this. | |
b4b1bdd5 DSH |
142 | |
143 | =item B<-req_text>, B<-resp_text>, B<-text> | |
144 | ||
c4de074e | 145 | Print out the text form of the OCSP request, response or both respectively. |
b4b1bdd5 | 146 | |
e8769719 | 147 | =item B<-reqout> I<file>, B<-respout> I<file> |
b4b1bdd5 | 148 | |
2f0ea936 | 149 | Write out the DER encoded certificate request or response to I<file>. |
b4b1bdd5 | 150 | |
e8769719 | 151 | =item B<-reqin> I<file>, B<-respin> I<file> |
b4b1bdd5 | 152 | |
2f0ea936 | 153 | Read OCSP request or response file from I<file>. These option are ignored |
b4b1bdd5 | 154 | if OCSP request or response creation is implied by other options (for example |
2f0ea936 | 155 | with B<-serial>, B<-cert> and B<-host> options). |
b4b1bdd5 | 156 | |
e8769719 | 157 | =item B<-url> I<responder_url> |
cc5ba6a7 | 158 | |
c4de074e | 159 | Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. |
cc5ba6a7 | 160 | |
2f0ea936 | 161 | =item B<-host> I<hostname>:I<port>, B<-path> I<pathname> |
b4b1bdd5 | 162 | |
2f0ea936 RL |
163 | If the B<-host> option is present then the OCSP request is sent to the host |
164 | I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname | |
165 | to use or "/" by default. This is equivalent to specifying B<-url> with scheme | |
21c6c50f | 166 | http:// and the given hostname, port, and pathname. |
b4b1bdd5 | 167 | |
2f0ea936 | 168 | =item B<-header> I<name>=I<value> |
46aa6078 | 169 | |
2f0ea936 | 170 | Adds the header I<name> with the specified I<value> to the OCSP request |
46aa6078 RS |
171 | that is sent to the responder. |
172 | This may be repeated. | |
173 | ||
e8769719 | 174 | =item B<-timeout> I<seconds> |
de87dd46 | 175 | |
3e3c7c36 VD |
176 | Connection timeout to the OCSP responder in seconds. |
177 | On POSIX systems, when running as an OCSP responder, this option also limits | |
178 | the time that the responder is willing to wait for the client request. | |
179 | This time is measured from the time the responder accepts the connection until | |
180 | the complete request is received. | |
181 | ||
e8769719 | 182 | =item B<-verify_other> I<file> |
cc5ba6a7 | 183 | |
b3c5aadf DDO |
184 | File or URI containing additional certificates to search |
185 | when attempting to locate | |
cc5ba6a7 | 186 | the OCSP response signing certificate. Some responders omit the actual signer's |
3b80e3aa | 187 | certificate from the response: this option can be used to supply the necessary |
cc5ba6a7 | 188 | certificate in such cases. |
b3c5aadf | 189 | The input can be in PEM, DER, or PKCS#12 format. |
cc5ba6a7 DSH |
190 | |
191 | =item B<-trust_other> | |
192 | ||
c4de074e | 193 | The certificates specified by the B<-verify_other> option should be explicitly |
cc5ba6a7 | 194 | trusted and no additional checks will be performed on them. This is useful |
3b80e3aa | 195 | when the complete responder certificate chain is not available or trusting a |
cc5ba6a7 DSH |
196 | root CA is not appropriate. |
197 | ||
e8769719 | 198 | =item B<-VAfile> I<file> |
cc5ba6a7 | 199 | |
b3c5aadf DDO |
200 | File or URI containing explicitly trusted responder certificates. |
201 | Equivalent to the B<-verify_other> and B<-trust_other> options. | |
202 | The input can be in PEM, DER, or PKCS#12 format. | |
cc5ba6a7 | 203 | |
bfcec27d DSH |
204 | =item B<-noverify> |
205 | ||
c4de074e P |
206 | Don't attempt to verify the OCSP response signature or the nonce |
207 | values. This option will normally only be used for debugging since it | |
208 | disables all verification of the responders certificate. | |
cc5ba6a7 DSH |
209 | |
210 | =item B<-no_intern> | |
211 | ||
c4de074e | 212 | Ignore certificates contained in the OCSP response when searching for the |
cc5ba6a7 | 213 | signers certificate. With this option the signers certificate must be specified |
0d7f6fc7 | 214 | with either the B<-verify_other> or B<-VAfile> options. |
cc5ba6a7 | 215 | |
e5b0508a | 216 | =item B<-no_signature_verify> |
cc5ba6a7 | 217 | |
c4de074e P |
218 | Don't check the signature on the OCSP response. Since this option |
219 | tolerates invalid signatures on OCSP responses it will normally only be | |
220 | used for testing purposes. | |
cc5ba6a7 DSH |
221 | |
222 | =item B<-no_cert_verify> | |
223 | ||
c4de074e P |
224 | Don't verify the OCSP response signers certificate at all. Since this |
225 | option allows the OCSP response to be signed by any certificate it should | |
226 | only be used for testing purposes. | |
cc5ba6a7 DSH |
227 | |
228 | =item B<-no_chain> | |
229 | ||
c4de074e | 230 | Do not use certificates in the response as additional untrusted CA |
cc5ba6a7 DSH |
231 | certificates. |
232 | ||
384dee51 DSH |
233 | =item B<-no_explicit> |
234 | ||
c4de074e | 235 | Do not explicitly trust the root CA if it is set to be trusted for OCSP signing. |
384dee51 | 236 | |
cc5ba6a7 DSH |
237 | =item B<-no_cert_checks> |
238 | ||
c4de074e | 239 | Don't perform any additional checks on the OCSP response signers certificate. |
cc5ba6a7 | 240 | That is do not make any checks to see if the signers certificate is authorised |
3b80e3aa | 241 | to provide the necessary status information: as a result this option should |
cc5ba6a7 DSH |
242 | only be used for testing purposes. |
243 | ||
e8769719 | 244 | =item B<-validity_period> I<nsec>, B<-status_age> I<age> |
cc5ba6a7 | 245 | |
c4de074e | 246 | These options specify the range of times, in seconds, which will be tolerated |
6302bbd2 DSH |
247 | in an OCSP response. Each certificate status response includes a B<notBefore> |
248 | time and an optional B<notAfter> time. The current time should fall between | |
249 | these two values, but the interval between the two times may be only a few | |
250 | seconds. In practice the OCSP responder and clients clocks may not be precisely | |
251 | synchronised and so such a check may fail. To avoid this the | |
252 | B<-validity_period> option can be used to specify an acceptable error range in | |
253 | seconds, the default value is 5 minutes. | |
254 | ||
255 | If the B<notAfter> time is omitted from a response then this means that new | |
256 | status information is immediately available. In this case the age of the | |
2f0ea936 | 257 | B<notBefore> field is checked to see it is not older than I<age> seconds old. |
6302bbd2 | 258 | By default this additional check is not performed. |
bfcec27d | 259 | |
e8769719 | 260 | =item B<-rcid> I<digest> |
0770c882 TS |
261 | |
262 | This option sets the digest algorithm to use for certificate identification | |
35a810bb | 263 | in the OCSP response. Any digest supported by the L<openssl-dgst(1)> command can |
0770c882 TS |
264 | be used. The default is the same digest algorithm used in the request. |
265 | ||
8dc57d76 | 266 | =item B<-I<digest>> |
cec2538c | 267 | |
c4de074e | 268 | This option sets digest algorithm to use for certificate identification in the |
6302bbd2 DSH |
269 | OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used. |
270 | The default is SHA-1. This option may be used multiple times to specify the | |
271 | digest used by subsequent certificate identifiers. | |
cec2538c | 272 | |
9fcb9702 RS |
273 | {- $OpenSSL::safe::opt_trust_item -} |
274 | ||
21d08b9e RS |
275 | {- $OpenSSL::safe::opt_v_item -} |
276 | ||
6bd4e3f2 P |
277 | {- $OpenSSL::safe::opt_provider_item -} |
278 | ||
b4b1bdd5 DSH |
279 | =back |
280 | ||
0634424f | 281 | =head2 OCSP Server Options |
534a1ed0 DSH |
282 | |
283 | =over 4 | |
284 | ||
e8769719 | 285 | =item B<-index> I<indexfile> |
534a1ed0 | 286 | |
2f0ea936 | 287 | The I<indexfile> parameter is the name of a text index file in B<ca> |
c4de074e | 288 | format containing certificate revocation information. |
534a1ed0 | 289 | |
35a810bb RL |
290 | If the B<-index> option is specified then this command switches to |
291 | responder mode, otherwise it is in client mode. The request(s) the responder | |
2f0ea936 RL |
292 | processes can be either specified on the command line (using B<-issuer> |
293 | and B<-serial> options), supplied in a file (using the B<-reqin> option) | |
294 | or via external OCSP clients (if B<-port> or B<-url> is specified). | |
534a1ed0 | 295 | |
2f0ea936 | 296 | If the B<-index> option is present then the B<-CA> and B<-rsigner> options |
c4de074e | 297 | must also be present. |
534a1ed0 | 298 | |
e8769719 | 299 | =item B<-CA> I<file> |
534a1ed0 | 300 | |
2f0ea936 RL |
301 | CA certificate corresponding to the revocation information in the index |
302 | file given with B<-index>. | |
b3c5aadf | 303 | The input can be in PEM, DER, or PKCS#12 format. |
534a1ed0 | 304 | |
e8769719 | 305 | =item B<-rsigner> I<file> |
534a1ed0 DSH |
306 | |
307 | The certificate to sign OCSP responses with. | |
308 | ||
e8769719 | 309 | =item B<-rkey> I<file> |
534a1ed0 | 310 | |
c4de074e | 311 | The private key to sign OCSP responses with: if not present the file |
2f0ea936 | 312 | specified in the B<-rsigner> option is used. |
534a1ed0 | 313 | |
1cf20ca3 | 314 | =item B<-passin> I<arg> |
315 | ||
316 | The private key password source. For more information about the format of I<arg> | |
ac093b3f | 317 | see L<openssl-passphrase-options(1)/Pass Phrase Options>. |
1cf20ca3 | 318 | |
49119647 DMSP |
319 | =item B<-rother> I<file> |
320 | ||
321 | Additional certificates to include in the OCSP response. | |
b3c5aadf | 322 | The input can be in PEM, DER, or PKCS#12 format. |
49119647 | 323 | |
e8769719 | 324 | =item B<-rsigopt> I<nm>:I<v> |
89623f84 DC |
325 | |
326 | Pass options to the signature algorithm when signing OCSP responses. | |
327 | Names and values of these options are algorithm-specific. | |
328 | ||
65718c51 RS |
329 | =item B<-rmd> I<digest> |
330 | ||
331 | The digest to use when signing the response. | |
332 | ||
333 | =item B<-badsig> | |
334 | ||
335 | Corrupt the response signature before writing it; this can be useful | |
336 | for testing. | |
337 | ||
49119647 DMSP |
338 | =item B<-resp_no_certs> |
339 | ||
340 | Don't include any certificates in the OCSP response. | |
341 | ||
342 | =item B<-resp_key_id> | |
343 | ||
344 | Identify the signer certificate using the key ID, default is to use the | |
345 | subject name. | |
346 | ||
e8769719 | 347 | =item B<-port> I<portnum> |
534a1ed0 | 348 | |
c4de074e P |
349 | Port to listen for OCSP requests on. The port may also be specified |
350 | using the B<url> option. | |
534a1ed0 | 351 | |
bbe9c3d5 JB |
352 | =item B<-ignore_err> |
353 | ||
354 | Ignore malformed requests or responses: When acting as an OCSP client, retry if | |
355 | a malformed response is received. When acting as an OCSP responder, continue | |
356 | running instead of terminating upon receiving a malformed request. | |
357 | ||
e8769719 | 358 | =item B<-nrequest> I<number> |
534a1ed0 | 359 | |
2f0ea936 | 360 | The OCSP server will exit after receiving I<number> requests, default unlimited. |
534a1ed0 | 361 | |
49119647 DMSP |
362 | =item B<-multi> I<process-count> |
363 | ||
364 | Run the specified number of OCSP responder child processes, with the parent | |
365 | process respawning child processes as needed. | |
366 | Child processes will detect changes in the CA index file and automatically | |
367 | reload it. | |
368 | When running as a responder B<-timeout> option is recommended to limit the time | |
369 | each child is willing to wait for the client's OCSP response. | |
370 | This option is available on POSIX systems (that support the fork() and other | |
371 | required unix system-calls). | |
372 | ||
373 | ||
e8769719 | 374 | =item B<-nmin> I<minutes>, B<-ndays> I<days> |
534a1ed0 | 375 | |
c4de074e P |
376 | Number of minutes or days when fresh revocation information is available: |
377 | used in the B<nextUpdate> field. If neither option is present then the | |
378 | B<nextUpdate> field is omitted meaning fresh revocation information is | |
379 | immediately available. | |
534a1ed0 DSH |
380 | |
381 | =back | |
382 | ||
485d3361 | 383 | =head1 OCSP RESPONSE VERIFICATION |
bfcec27d DSH |
384 | |
385 | OCSP Response follows the rules specified in RFC2560. | |
386 | ||
387 | Initially the OCSP responder certificate is located and the signature on | |
3b80e3aa | 388 | the OCSP request checked using the responder certificate's public key. |
bfcec27d DSH |
389 | |
390 | Then a normal certificate verify is performed on the OCSP responder certificate | |
391 | building up a certificate chain in the process. The locations of the trusted | |
fd3397fc RL |
392 | certificates used to build the chain can be specified by the B<-CAfile>, |
393 | B<-CApath> or B<-CAstore> options or they will be looked for in the | |
394 | standard OpenSSL certificates directory. | |
bfcec27d DSH |
395 | |
396 | If the initial verify fails then the OCSP verify process halts with an | |
397 | error. | |
398 | ||
399 | Otherwise the issuing CA certificate in the request is compared to the OCSP | |
400 | responder certificate: if there is a match then the OCSP verify succeeds. | |
401 | ||
402 | Otherwise the OCSP responder certificate's CA is checked against the issuing | |
403 | CA certificate in the request. If there is a match and the OCSPSigning | |
404 | extended key usage is present in the OCSP responder certificate then the | |
405 | OCSP verify succeeds. | |
406 | ||
384dee51 DSH |
407 | Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders |
408 | CA is checked to see if it is trusted for OCSP signing. If it is the OCSP | |
409 | verify succeeds. | |
bfcec27d DSH |
410 | |
411 | If none of these checks is successful then the OCSP verify fails. | |
412 | ||
413 | What this effectively means if that if the OCSP responder certificate is | |
414 | authorised directly by the CA it is issuing revocation information about | |
415 | (and it is correctly configured) then verification will succeed. | |
416 | ||
417 | If the OCSP responder is a "global responder" which can give details about | |
418 | multiple CAs and has its own separate certificate chain then its root | |
cc5ba6a7 | 419 | CA can be trusted for OCSP signing. For example: |
bfcec27d DSH |
420 | |
421 | openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem | |
422 | ||
cc5ba6a7 DSH |
423 | Alternatively the responder certificate itself can be explicitly trusted |
424 | with the B<-VAfile> option. | |
b4b1bdd5 | 425 | |
cc5ba6a7 | 426 | =head1 NOTES |
b4b1bdd5 | 427 | |
cc5ba6a7 | 428 | As noted, most of the verify options are for testing or debugging purposes. |
fd3397fc RL |
429 | Normally only the B<-CApath>, B<-CAfile>, B<-CAstore> and (if the responder |
430 | is a 'global VA') B<-VAfile> options need to be used. | |
b4b1bdd5 | 431 | |
534a1ed0 DSH |
432 | The OCSP server is only useful for test and demonstration purposes: it is |
433 | not really usable as a full OCSP responder. It contains only a very | |
434 | simple HTTP request handling and can only handle the POST form of OCSP | |
435 | queries. It also handles requests serially meaning it cannot respond to | |
436 | new requests until it has processed the current one. The text index file | |
437 | format of revocation is also inefficient for large quantities of revocation | |
438 | data. | |
439 | ||
35a810bb | 440 | It is possible to run this command in responder mode via a CGI |
2f0ea936 | 441 | script using the B<-reqin> and B<-respout> options. |
534a1ed0 | 442 | |
b4b1bdd5 DSH |
443 | =head1 EXAMPLES |
444 | ||
445 | Create an OCSP request and write it to a file: | |
446 | ||
447 | openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der | |
448 | ||
1bc74519 | 449 | Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the |
21c6c50f | 450 | response to a file, print it out in text form, and verify the response: |
b4b1bdd5 DSH |
451 | |
452 | openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ | |
cc5ba6a7 | 453 | -url http://ocsp.myhost.com/ -resp_text -respout resp.der |
b4b1bdd5 DSH |
454 | |
455 | Read in an OCSP response and print out text form: | |
456 | ||
21c6c50f | 457 | openssl ocsp -respin resp.der -text -noverify |
b4b1bdd5 | 458 | |
534a1ed0 DSH |
459 | OCSP server on port 8888 using a standard B<ca> configuration, and a separate |
460 | responder certificate. All requests and responses are printed to a file. | |
461 | ||
462 | openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem | |
1bc74519 | 463 | -text -out log.txt |
534a1ed0 DSH |
464 | |
465 | As above but exit after processing one request: | |
466 | ||
467 | openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem | |
468 | -nrequest 1 | |
469 | ||
21c6c50f | 470 | Query status information using an internally generated request: |
534a1ed0 DSH |
471 | |
472 | openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | |
473 | -issuer demoCA/cacert.pem -serial 1 | |
474 | ||
21c6c50f BK |
475 | Query status information using request read from a file, and write the response |
476 | to a second file. | |
534a1ed0 DSH |
477 | |
478 | openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | |
479 | -reqin req.der -respout resp.der | |
fa7b0111 MC |
480 | |
481 | =head1 HISTORY | |
482 | ||
fc5ecadd | 483 | The -no_alt_chains option was added in OpenSSL 1.1.0. |
fa7b0111 | 484 | |
e2f92610 RS |
485 | =head1 COPYRIGHT |
486 | ||
33388b44 | 487 | Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 488 | |
449040b4 | 489 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
490 | this file except in compliance with the License. You can obtain a copy |
491 | in the file LICENSE in the source distribution or at | |
492 | L<https://www.openssl.org/source/license.html>. | |
493 | ||
494 | =cut |