]>
Commit | Line | Data |
---|---|---|
b4b1bdd5 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b6b66573 | 5 | openssl-ocsp - Online Certificate Status Protocol utility |
b4b1bdd5 DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> B<ocsp> | |
169394d4 | 10 | [B<-help>] |
e8769719 RS |
11 | [B<-out> I<file>] |
12 | [B<-issuer> I<file>] | |
13 | [B<-cert> I<file>] | |
14 | [B<-serial> I<n>] | |
15 | [B<-signer> I<file>] | |
16 | [B<-signkey> I<file>] | |
17 | [B<-sign_other> I<file>] | |
e5b0508a | 18 | [B<-no_certs>] |
b4b1bdd5 DSH |
19 | [B<-req_text>] |
20 | [B<-resp_text>] | |
21 | [B<-text>] | |
e8769719 RS |
22 | [B<-reqout> I<file>] |
23 | [B<-respout> I<file>] | |
24 | [B<-reqin> I<file>] | |
25 | [B<-respin> I<file>] | |
b4b1bdd5 DSH |
26 | [B<-nonce>] |
27 | [B<-no_nonce>] | |
e8769719 RS |
28 | [B<-url> I<URL>] |
29 | [B<-host> I<host:port>] | |
30 | [B<-multi> I<process-count>] | |
46aa6078 | 31 | [B<-header>] |
b4b1bdd5 | 32 | [B<-path>] |
e8769719 RS |
33 | [B<-CApath> I<dir>] |
34 | [B<-CAfile> I<file>] | |
40e2d76b MC |
35 | [B<-no-CAfile>] |
36 | [B<-no-CApath>] | |
e8769719 | 37 | [B<-attime> I<timestamp>] |
e42d84be HK |
38 | [B<-check_ss_sig>] |
39 | [B<-crl_check>] | |
40 | [B<-crl_check_all>] | |
41 | [B<-explicit_policy>] | |
42 | [B<-extended_crl>] | |
43 | [B<-ignore_critical>] | |
44 | [B<-inhibit_any>] | |
45 | [B<-inhibit_map>] | |
5a1f853b | 46 | [B<-no_check_time>] |
e42d84be | 47 | [B<-partial_chain>] |
e8769719 | 48 | [B<-policy> I<arg>] |
e42d84be HK |
49 | [B<-policy_check>] |
50 | [B<-policy_print>] | |
e8769719 | 51 | [B<-purpose> I<purpose>] |
e42d84be HK |
52 | [B<-suiteB_128>] |
53 | [B<-suiteB_128_only>] | |
54 | [B<-suiteB_192>] | |
6d3d5793 | 55 | [B<-trusted_first>] |
fa7b0111 | 56 | [B<-no_alt_chains>] |
e42d84be | 57 | [B<-use_deltas>] |
e8769719 RS |
58 | [B<-auth_level> I<num>] |
59 | [B<-verify_depth> I<num>] | |
60 | [B<-verify_email> I<email>] | |
61 | [B<-verify_hostname> I<hostname>] | |
62 | [B<-verify_ip> I<ip>] | |
63 | [B<-verify_name> I<name>] | |
e42d84be | 64 | [B<-x509_strict>] |
e8769719 RS |
65 | [B<-VAfile> I<file>] |
66 | [B<-validity_period> I<n>] | |
67 | [B<-status_age> I<n>] | |
bfcec27d | 68 | [B<-noverify>] |
e8769719 | 69 | [B<-verify_other> I<file>] |
cc5ba6a7 DSH |
70 | [B<-trust_other>] |
71 | [B<-no_intern>] | |
e5b0508a | 72 | [B<-no_signature_verify>] |
cc5ba6a7 DSH |
73 | [B<-no_cert_verify>] |
74 | [B<-no_chain>] | |
75 | [B<-no_cert_checks>] | |
384dee51 | 76 | [B<-no_explicit>] |
e8769719 | 77 | [B<-port> I<num>] |
bbe9c3d5 | 78 | [B<-ignore_err>] |
e8769719 RS |
79 | [B<-index> I<file>] |
80 | [B<-CA> I<file>] | |
81 | [B<-rsigner> I<file>] | |
82 | [B<-rkey> I<file>] | |
83 | [B<-rother> I<file>] | |
84 | [B<-rsigopt> I<nm>:I<v>] | |
e5b0508a | 85 | [B<-resp_no_certs>] |
e8769719 RS |
86 | [B<-nmin> I<n>] |
87 | [B<-ndays> I<n>] | |
e5b0508a | 88 | [B<-resp_key_id>] |
e8769719 RS |
89 | [B<-nrequest> I<n>] |
90 | [B<-rcid> I<digest>] | |
91 | [B<->I<digest>] | |
b4b1bdd5 | 92 | |
1738c0ce RS |
93 | =for comment ifdef multi |
94 | ||
b4b1bdd5 DSH |
95 | =head1 DESCRIPTION |
96 | ||
a068630a UM |
97 | The Online Certificate Status Protocol (OCSP) enables applications to |
98 | determine the (revocation) state of an identified certificate (RFC 2560). | |
99 | ||
b4b1bdd5 DSH |
100 | The B<ocsp> command performs many common OCSP tasks. It can be used |
101 | to print out requests and responses, create requests and send queries | |
534a1ed0 | 102 | to an OCSP responder and behave like a mini OCSP server itself. |
b4b1bdd5 | 103 | |
3dfda1a6 | 104 | =head1 OPTIONS |
0634424f RS |
105 | |
106 | This command operates as either a client or a server. | |
107 | The options are described below, divided into those two modes. | |
108 | ||
109 | =head2 OCSP Client Options | |
b4b1bdd5 DSH |
110 | |
111 | =over 4 | |
112 | ||
169394d4 MR |
113 | =item B<-help> |
114 | ||
115 | Print out a usage message. | |
116 | ||
e8769719 | 117 | =item B<-out> I<filename> |
b4b1bdd5 DSH |
118 | |
119 | specify output filename, default is standard output. | |
120 | ||
e8769719 | 121 | =item B<-issuer> I<filename> |
b4b1bdd5 DSH |
122 | |
123 | This specifies the current issuer certificate. This option can be used | |
124 | multiple times. The certificate specified in B<filename> must be in | |
0d7f6fc7 | 125 | PEM format. This option B<MUST> come before any B<-cert> options. |
b4b1bdd5 | 126 | |
e8769719 | 127 | =item B<-cert> I<filename> |
b4b1bdd5 DSH |
128 | |
129 | Add the certificate B<filename> to the request. The issuer certificate | |
130 | is taken from the previous B<issuer> option, or an error occurs if no | |
131 | issuer certificate is specified. | |
132 | ||
e8769719 | 133 | =item B<-serial> I<num> |
b4b1bdd5 DSH |
134 | |
135 | Same as the B<cert> option except the certificate with serial number | |
bfcec27d DSH |
136 | B<num> is added to the request. The serial number is interpreted as a |
137 | decimal integer unless preceded by B<0x>. Negative integers can also | |
138 | be specified by preceding the value by a B<-> sign. | |
b4b1bdd5 | 139 | |
e8769719 | 140 | =item B<-signer> I<filename>, B<-signkey> I<filename> |
b4b1bdd5 DSH |
141 | |
142 | Sign the OCSP request using the certificate specified in the B<signer> | |
143 | option and the private key specified by the B<signkey> option. If | |
144 | the B<signkey> option is not present then the private key is read | |
145 | from the same file as the certificate. If neither option is specified then | |
146 | the OCSP request is not signed. | |
147 | ||
e8769719 | 148 | =item B<-sign_other> I<filename> |
e5b0508a DSH |
149 | |
150 | Additional certificates to include in the signed request. | |
151 | ||
b4b1bdd5 DSH |
152 | =item B<-nonce>, B<-no_nonce> |
153 | ||
154 | Add an OCSP nonce extension to a request or disable OCSP nonce addition. | |
21c6c50f | 155 | Normally if an OCSP request is input using the B<reqin> option no |
b4b1bdd5 DSH |
156 | nonce is added: using the B<nonce> option will force addition of a nonce. |
157 | If an OCSP request is being created (using B<cert> and B<serial> options) | |
158 | a nonce is automatically added specifying B<no_nonce> overrides this. | |
159 | ||
160 | =item B<-req_text>, B<-resp_text>, B<-text> | |
161 | ||
c4de074e | 162 | Print out the text form of the OCSP request, response or both respectively. |
b4b1bdd5 | 163 | |
e8769719 | 164 | =item B<-reqout> I<file>, B<-respout> I<file> |
b4b1bdd5 | 165 | |
c4de074e | 166 | Write out the DER encoded certificate request or response to B<file>. |
b4b1bdd5 | 167 | |
e8769719 | 168 | =item B<-reqin> I<file>, B<-respin> I<file> |
b4b1bdd5 | 169 | |
c4de074e | 170 | Read OCSP request or response file from B<file>. These option are ignored |
b4b1bdd5 DSH |
171 | if OCSP request or response creation is implied by other options (for example |
172 | with B<serial>, B<cert> and B<host> options). | |
173 | ||
e8769719 | 174 | =item B<-url> I<responder_url> |
cc5ba6a7 | 175 | |
c4de074e | 176 | Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. |
cc5ba6a7 | 177 | |
e8769719 | 178 | =item B<-host> I<hostname:port>, B<-path> I<pathname> |
b4b1bdd5 | 179 | |
c4de074e | 180 | If the B<host> option is present then the OCSP request is sent to the host |
b4b1bdd5 | 181 | B<hostname> on port B<port>. B<path> specifies the HTTP path name to use |
21c6c50f BK |
182 | or "/" by default. This is equivalent to specifying B<-url> with scheme |
183 | http:// and the given hostname, port, and pathname. | |
b4b1bdd5 | 184 | |
e8769719 | 185 | =item B<-header> I<name=value> |
46aa6078 RS |
186 | |
187 | Adds the header B<name> with the specified B<value> to the OCSP request | |
188 | that is sent to the responder. | |
189 | This may be repeated. | |
190 | ||
e8769719 | 191 | =item B<-timeout> I<seconds> |
de87dd46 | 192 | |
3e3c7c36 VD |
193 | Connection timeout to the OCSP responder in seconds. |
194 | On POSIX systems, when running as an OCSP responder, this option also limits | |
195 | the time that the responder is willing to wait for the client request. | |
196 | This time is measured from the time the responder accepts the connection until | |
197 | the complete request is received. | |
198 | ||
e8769719 | 199 | =item B<-multi> I<process-count> |
3e3c7c36 VD |
200 | |
201 | Run the specified number of OCSP responder child processes, with the parent | |
202 | process respawning child processes as needed. | |
203 | Child processes will detect changes in the CA index file and automatically | |
204 | reload it. | |
205 | When running as a responder B<-timeout> option is recommended to limit the time | |
206 | each child is willing to wait for the client's OCSP response. | |
207 | This option is available on POSIX systems (that support the fork() and other | |
208 | required unix system-calls). | |
de87dd46 | 209 | |
e8769719 | 210 | =item B<-CAfile> I<file>, B<-CApath> I<pathname> |
bfcec27d | 211 | |
c4de074e | 212 | File or pathname containing trusted CA certificates. These are used to verify |
bfcec27d DSH |
213 | the signature on the OCSP response. |
214 | ||
40e2d76b MC |
215 | =item B<-no-CAfile> |
216 | ||
217 | Do not load the trusted CA certificates from the default file location | |
218 | ||
219 | =item B<-no-CApath> | |
220 | ||
221 | Do not load the trusted CA certificates from the default directory location | |
222 | ||
e42d84be | 223 | =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, |
d33def66 | 224 | B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, |
5a1f853b | 225 | B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, |
e42d84be | 226 | B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, |
d33def66 | 227 | B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, |
fbb82a60 VD |
228 | B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, |
229 | B<-verify_ip>, B<-verify_name>, B<-x509_strict> | |
6d3d5793 | 230 | |
e42d84be | 231 | Set different certificate verification options. |
fbb82a60 | 232 | See L<verify(1)> manual page for details. |
6d3d5793 | 233 | |
e8769719 | 234 | =item B<-verify_other> I<file> |
cc5ba6a7 | 235 | |
c4de074e | 236 | File containing additional certificates to search when attempting to locate |
cc5ba6a7 | 237 | the OCSP response signing certificate. Some responders omit the actual signer's |
3b80e3aa | 238 | certificate from the response: this option can be used to supply the necessary |
cc5ba6a7 DSH |
239 | certificate in such cases. |
240 | ||
241 | =item B<-trust_other> | |
242 | ||
c4de074e | 243 | The certificates specified by the B<-verify_other> option should be explicitly |
cc5ba6a7 | 244 | trusted and no additional checks will be performed on them. This is useful |
3b80e3aa | 245 | when the complete responder certificate chain is not available or trusting a |
cc5ba6a7 DSH |
246 | root CA is not appropriate. |
247 | ||
e8769719 | 248 | =item B<-VAfile> I<file> |
cc5ba6a7 | 249 | |
c4de074e | 250 | File containing explicitly trusted responder certificates. Equivalent to the |
0d7f6fc7 | 251 | B<-verify_other> and B<-trust_other> options. |
cc5ba6a7 | 252 | |
bfcec27d DSH |
253 | =item B<-noverify> |
254 | ||
c4de074e P |
255 | Don't attempt to verify the OCSP response signature or the nonce |
256 | values. This option will normally only be used for debugging since it | |
257 | disables all verification of the responders certificate. | |
cc5ba6a7 DSH |
258 | |
259 | =item B<-no_intern> | |
260 | ||
c4de074e | 261 | Ignore certificates contained in the OCSP response when searching for the |
cc5ba6a7 | 262 | signers certificate. With this option the signers certificate must be specified |
0d7f6fc7 | 263 | with either the B<-verify_other> or B<-VAfile> options. |
cc5ba6a7 | 264 | |
e5b0508a | 265 | =item B<-no_signature_verify> |
cc5ba6a7 | 266 | |
c4de074e P |
267 | Don't check the signature on the OCSP response. Since this option |
268 | tolerates invalid signatures on OCSP responses it will normally only be | |
269 | used for testing purposes. | |
cc5ba6a7 DSH |
270 | |
271 | =item B<-no_cert_verify> | |
272 | ||
c4de074e P |
273 | Don't verify the OCSP response signers certificate at all. Since this |
274 | option allows the OCSP response to be signed by any certificate it should | |
275 | only be used for testing purposes. | |
cc5ba6a7 DSH |
276 | |
277 | =item B<-no_chain> | |
278 | ||
c4de074e | 279 | Do not use certificates in the response as additional untrusted CA |
cc5ba6a7 DSH |
280 | certificates. |
281 | ||
384dee51 DSH |
282 | =item B<-no_explicit> |
283 | ||
c4de074e | 284 | Do not explicitly trust the root CA if it is set to be trusted for OCSP signing. |
384dee51 | 285 | |
cc5ba6a7 DSH |
286 | =item B<-no_cert_checks> |
287 | ||
c4de074e | 288 | Don't perform any additional checks on the OCSP response signers certificate. |
cc5ba6a7 | 289 | That is do not make any checks to see if the signers certificate is authorised |
3b80e3aa | 290 | to provide the necessary status information: as a result this option should |
cc5ba6a7 DSH |
291 | only be used for testing purposes. |
292 | ||
e8769719 | 293 | =item B<-validity_period> I<nsec>, B<-status_age> I<age> |
cc5ba6a7 | 294 | |
c4de074e | 295 | These options specify the range of times, in seconds, which will be tolerated |
6302bbd2 DSH |
296 | in an OCSP response. Each certificate status response includes a B<notBefore> |
297 | time and an optional B<notAfter> time. The current time should fall between | |
298 | these two values, but the interval between the two times may be only a few | |
299 | seconds. In practice the OCSP responder and clients clocks may not be precisely | |
300 | synchronised and so such a check may fail. To avoid this the | |
301 | B<-validity_period> option can be used to specify an acceptable error range in | |
302 | seconds, the default value is 5 minutes. | |
303 | ||
304 | If the B<notAfter> time is omitted from a response then this means that new | |
305 | status information is immediately available. In this case the age of the | |
306 | B<notBefore> field is checked to see it is not older than B<age> seconds old. | |
307 | By default this additional check is not performed. | |
bfcec27d | 308 | |
e8769719 | 309 | =item B<-rcid> I<digest> |
0770c882 TS |
310 | |
311 | This option sets the digest algorithm to use for certificate identification | |
312 | in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can | |
313 | be used. The default is the same digest algorithm used in the request. | |
314 | ||
e8769719 | 315 | =item B<->I<digest> |
cec2538c | 316 | |
c4de074e | 317 | This option sets digest algorithm to use for certificate identification in the |
6302bbd2 DSH |
318 | OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used. |
319 | The default is SHA-1. This option may be used multiple times to specify the | |
320 | digest used by subsequent certificate identifiers. | |
cec2538c | 321 | |
b4b1bdd5 DSH |
322 | =back |
323 | ||
0634424f | 324 | =head2 OCSP Server Options |
534a1ed0 DSH |
325 | |
326 | =over 4 | |
327 | ||
e8769719 | 328 | =item B<-index> I<indexfile> |
534a1ed0 | 329 | |
c4de074e P |
330 | The B<indexfile> parameter is the name of a text index file in B<ca> |
331 | format containing certificate revocation information. | |
534a1ed0 | 332 | |
c4de074e P |
333 | If the B<index> option is specified the B<ocsp> utility is in responder |
334 | mode, otherwise it is in client mode. The request(s) the responder | |
335 | processes can be either specified on the command line (using B<issuer> | |
336 | and B<serial> options), supplied in a file (using the B<reqin> option) | |
337 | or via external OCSP clients (if B<port> or B<url> is specified). | |
534a1ed0 | 338 | |
c4de074e P |
339 | If the B<index> option is present then the B<CA> and B<rsigner> options |
340 | must also be present. | |
534a1ed0 | 341 | |
e8769719 | 342 | =item B<-CA> I<file> |
534a1ed0 DSH |
343 | |
344 | CA certificate corresponding to the revocation information in B<indexfile>. | |
345 | ||
e8769719 | 346 | =item B<-rsigner> I<file> |
534a1ed0 DSH |
347 | |
348 | The certificate to sign OCSP responses with. | |
349 | ||
e8769719 | 350 | =item B<-rother> I<file> |
534a1ed0 DSH |
351 | |
352 | Additional certificates to include in the OCSP response. | |
353 | ||
354 | =item B<-resp_no_certs> | |
355 | ||
356 | Don't include any certificates in the OCSP response. | |
357 | ||
358 | =item B<-resp_key_id> | |
359 | ||
c4de074e P |
360 | Identify the signer certificate using the key ID, default is to use the |
361 | subject name. | |
534a1ed0 | 362 | |
e8769719 | 363 | =item B<-rkey> I<file> |
534a1ed0 | 364 | |
c4de074e P |
365 | The private key to sign OCSP responses with: if not present the file |
366 | specified in the B<rsigner> option is used. | |
534a1ed0 | 367 | |
e8769719 | 368 | =item B<-rsigopt> I<nm>:I<v> |
89623f84 DC |
369 | |
370 | Pass options to the signature algorithm when signing OCSP responses. | |
371 | Names and values of these options are algorithm-specific. | |
372 | ||
e8769719 | 373 | =item B<-port> I<portnum> |
534a1ed0 | 374 | |
c4de074e P |
375 | Port to listen for OCSP requests on. The port may also be specified |
376 | using the B<url> option. | |
534a1ed0 | 377 | |
bbe9c3d5 JB |
378 | =item B<-ignore_err> |
379 | ||
380 | Ignore malformed requests or responses: When acting as an OCSP client, retry if | |
381 | a malformed response is received. When acting as an OCSP responder, continue | |
382 | running instead of terminating upon receiving a malformed request. | |
383 | ||
e8769719 | 384 | =item B<-nrequest> I<number> |
534a1ed0 | 385 | |
1bc74519 | 386 | The OCSP server will exit after receiving B<number> requests, default unlimited. |
534a1ed0 | 387 | |
e8769719 | 388 | =item B<-nmin> I<minutes>, B<-ndays> I<days> |
534a1ed0 | 389 | |
c4de074e P |
390 | Number of minutes or days when fresh revocation information is available: |
391 | used in the B<nextUpdate> field. If neither option is present then the | |
392 | B<nextUpdate> field is omitted meaning fresh revocation information is | |
393 | immediately available. | |
534a1ed0 DSH |
394 | |
395 | =back | |
396 | ||
485d3361 | 397 | =head1 OCSP RESPONSE VERIFICATION |
bfcec27d DSH |
398 | |
399 | OCSP Response follows the rules specified in RFC2560. | |
400 | ||
401 | Initially the OCSP responder certificate is located and the signature on | |
3b80e3aa | 402 | the OCSP request checked using the responder certificate's public key. |
bfcec27d DSH |
403 | |
404 | Then a normal certificate verify is performed on the OCSP responder certificate | |
405 | building up a certificate chain in the process. The locations of the trusted | |
406 | certificates used to build the chain can be specified by the B<CAfile> | |
407 | and B<CApath> options or they will be looked for in the standard OpenSSL | |
408 | certificates directory. | |
409 | ||
410 | If the initial verify fails then the OCSP verify process halts with an | |
411 | error. | |
412 | ||
413 | Otherwise the issuing CA certificate in the request is compared to the OCSP | |
414 | responder certificate: if there is a match then the OCSP verify succeeds. | |
415 | ||
416 | Otherwise the OCSP responder certificate's CA is checked against the issuing | |
417 | CA certificate in the request. If there is a match and the OCSPSigning | |
418 | extended key usage is present in the OCSP responder certificate then the | |
419 | OCSP verify succeeds. | |
420 | ||
384dee51 DSH |
421 | Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders |
422 | CA is checked to see if it is trusted for OCSP signing. If it is the OCSP | |
423 | verify succeeds. | |
bfcec27d DSH |
424 | |
425 | If none of these checks is successful then the OCSP verify fails. | |
426 | ||
427 | What this effectively means if that if the OCSP responder certificate is | |
428 | authorised directly by the CA it is issuing revocation information about | |
429 | (and it is correctly configured) then verification will succeed. | |
430 | ||
431 | If the OCSP responder is a "global responder" which can give details about | |
432 | multiple CAs and has its own separate certificate chain then its root | |
cc5ba6a7 | 433 | CA can be trusted for OCSP signing. For example: |
bfcec27d DSH |
434 | |
435 | openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem | |
436 | ||
cc5ba6a7 DSH |
437 | Alternatively the responder certificate itself can be explicitly trusted |
438 | with the B<-VAfile> option. | |
b4b1bdd5 | 439 | |
cc5ba6a7 | 440 | =head1 NOTES |
b4b1bdd5 | 441 | |
cc5ba6a7 DSH |
442 | As noted, most of the verify options are for testing or debugging purposes. |
443 | Normally only the B<-CApath>, B<-CAfile> and (if the responder is a 'global | |
444 | VA') B<-VAfile> options need to be used. | |
b4b1bdd5 | 445 | |
534a1ed0 DSH |
446 | The OCSP server is only useful for test and demonstration purposes: it is |
447 | not really usable as a full OCSP responder. It contains only a very | |
448 | simple HTTP request handling and can only handle the POST form of OCSP | |
449 | queries. It also handles requests serially meaning it cannot respond to | |
450 | new requests until it has processed the current one. The text index file | |
451 | format of revocation is also inefficient for large quantities of revocation | |
452 | data. | |
453 | ||
454 | It is possible to run the B<ocsp> application in responder mode via a CGI | |
21c6c50f | 455 | script using the B<reqin> and B<respout> options. |
534a1ed0 | 456 | |
b4b1bdd5 DSH |
457 | =head1 EXAMPLES |
458 | ||
459 | Create an OCSP request and write it to a file: | |
460 | ||
461 | openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der | |
462 | ||
1bc74519 | 463 | Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the |
21c6c50f | 464 | response to a file, print it out in text form, and verify the response: |
b4b1bdd5 DSH |
465 | |
466 | openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ | |
cc5ba6a7 | 467 | -url http://ocsp.myhost.com/ -resp_text -respout resp.der |
b4b1bdd5 DSH |
468 | |
469 | Read in an OCSP response and print out text form: | |
470 | ||
21c6c50f | 471 | openssl ocsp -respin resp.der -text -noverify |
b4b1bdd5 | 472 | |
534a1ed0 DSH |
473 | OCSP server on port 8888 using a standard B<ca> configuration, and a separate |
474 | responder certificate. All requests and responses are printed to a file. | |
475 | ||
476 | openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem | |
1bc74519 | 477 | -text -out log.txt |
534a1ed0 DSH |
478 | |
479 | As above but exit after processing one request: | |
480 | ||
481 | openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem | |
482 | -nrequest 1 | |
483 | ||
21c6c50f | 484 | Query status information using an internally generated request: |
534a1ed0 DSH |
485 | |
486 | openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | |
487 | -issuer demoCA/cacert.pem -serial 1 | |
488 | ||
21c6c50f BK |
489 | Query status information using request read from a file, and write the response |
490 | to a second file. | |
534a1ed0 DSH |
491 | |
492 | openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | |
493 | -reqin req.der -respout resp.der | |
fa7b0111 MC |
494 | |
495 | =head1 HISTORY | |
496 | ||
fc5ecadd | 497 | The -no_alt_chains option was added in OpenSSL 1.1.0. |
fa7b0111 | 498 | |
e2f92610 RS |
499 | =head1 COPYRIGHT |
500 | ||
b6b66573 | 501 | Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 502 | |
449040b4 | 503 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
504 | this file except in compliance with the License. You can obtain a copy |
505 | in the file LICENSE in the source distribution or at | |
506 | L<https://www.openssl.org/source/license.html>. | |
507 | ||
508 | =cut |