]>
Commit | Line | Data |
---|---|---|
b4b1bdd5 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b6b66573 | 5 | openssl-ocsp - Online Certificate Status Protocol utility |
b4b1bdd5 DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> B<ocsp> | |
169394d4 | 10 | [B<-help>] |
b4b1bdd5 DSH |
11 | [B<-out file>] |
12 | [B<-issuer file>] | |
13 | [B<-cert file>] | |
14 | [B<-serial n>] | |
e5b0508a DSH |
15 | [B<-signer file>] |
16 | [B<-signkey file>] | |
17 | [B<-sign_other file>] | |
18 | [B<-no_certs>] | |
b4b1bdd5 DSH |
19 | [B<-req_text>] |
20 | [B<-resp_text>] | |
21 | [B<-text>] | |
22 | [B<-reqout file>] | |
23 | [B<-respout file>] | |
24 | [B<-reqin file>] | |
25 | [B<-respin file>] | |
26 | [B<-nonce>] | |
27 | [B<-no_nonce>] | |
e5b0508a | 28 | [B<-url URL>] |
46aa6078 | 29 | [B<-host host:port>] |
3e3c7c36 | 30 | [B<-multi process-count>] |
46aa6078 | 31 | [B<-header>] |
b4b1bdd5 | 32 | [B<-path>] |
e5b0508a | 33 | [B<-CApath dir>] |
bfcec27d | 34 | [B<-CAfile file>] |
40e2d76b MC |
35 | [B<-no-CAfile>] |
36 | [B<-no-CApath>] | |
e42d84be HK |
37 | [B<-attime timestamp>] |
38 | [B<-check_ss_sig>] | |
39 | [B<-crl_check>] | |
40 | [B<-crl_check_all>] | |
41 | [B<-explicit_policy>] | |
42 | [B<-extended_crl>] | |
43 | [B<-ignore_critical>] | |
44 | [B<-inhibit_any>] | |
45 | [B<-inhibit_map>] | |
5a1f853b | 46 | [B<-no_check_time>] |
e42d84be HK |
47 | [B<-partial_chain>] |
48 | [B<-policy arg>] | |
49 | [B<-policy_check>] | |
50 | [B<-policy_print>] | |
51 | [B<-purpose purpose>] | |
52 | [B<-suiteB_128>] | |
53 | [B<-suiteB_128_only>] | |
54 | [B<-suiteB_192>] | |
6d3d5793 | 55 | [B<-trusted_first>] |
fa7b0111 | 56 | [B<-no_alt_chains>] |
e42d84be | 57 | [B<-use_deltas>] |
fbb82a60 | 58 | [B<-auth_level num>] |
e42d84be HK |
59 | [B<-verify_depth num>] |
60 | [B<-verify_email email>] | |
61 | [B<-verify_hostname hostname>] | |
62 | [B<-verify_ip ip>] | |
63 | [B<-verify_name name>] | |
64 | [B<-x509_strict>] | |
cc5ba6a7 | 65 | [B<-VAfile file>] |
e5b0508a DSH |
66 | [B<-validity_period n>] |
67 | [B<-status_age n>] | |
bfcec27d | 68 | [B<-noverify>] |
e5b0508a | 69 | [B<-verify_other file>] |
cc5ba6a7 DSH |
70 | [B<-trust_other>] |
71 | [B<-no_intern>] | |
e5b0508a | 72 | [B<-no_signature_verify>] |
cc5ba6a7 DSH |
73 | [B<-no_cert_verify>] |
74 | [B<-no_chain>] | |
75 | [B<-no_cert_checks>] | |
384dee51 | 76 | [B<-no_explicit>] |
e5b0508a | 77 | [B<-port num>] |
bbe9c3d5 | 78 | [B<-ignore_err>] |
e5b0508a DSH |
79 | [B<-index file>] |
80 | [B<-CA file>] | |
81 | [B<-rsigner file>] | |
82 | [B<-rkey file>] | |
83 | [B<-rother file>] | |
89623f84 | 84 | [B<-rsigopt nm:v>] |
e5b0508a DSH |
85 | [B<-resp_no_certs>] |
86 | [B<-nmin n>] | |
87 | [B<-ndays n>] | |
88 | [B<-resp_key_id>] | |
89 | [B<-nrequest n>] | |
0770c882 | 90 | [B<-rcid I<digest>>] |
e75138ab | 91 | [B<-I<digest>>] |
b4b1bdd5 DSH |
92 | |
93 | =head1 DESCRIPTION | |
94 | ||
a068630a UM |
95 | The Online Certificate Status Protocol (OCSP) enables applications to |
96 | determine the (revocation) state of an identified certificate (RFC 2560). | |
97 | ||
b4b1bdd5 DSH |
98 | The B<ocsp> command performs many common OCSP tasks. It can be used |
99 | to print out requests and responses, create requests and send queries | |
534a1ed0 | 100 | to an OCSP responder and behave like a mini OCSP server itself. |
b4b1bdd5 | 101 | |
3dfda1a6 | 102 | =head1 OPTIONS |
0634424f RS |
103 | |
104 | This command operates as either a client or a server. | |
105 | The options are described below, divided into those two modes. | |
106 | ||
107 | =head2 OCSP Client Options | |
b4b1bdd5 DSH |
108 | |
109 | =over 4 | |
110 | ||
169394d4 MR |
111 | =item B<-help> |
112 | ||
113 | Print out a usage message. | |
114 | ||
b4b1bdd5 DSH |
115 | =item B<-out filename> |
116 | ||
117 | specify output filename, default is standard output. | |
118 | ||
119 | =item B<-issuer filename> | |
120 | ||
121 | This specifies the current issuer certificate. This option can be used | |
122 | multiple times. The certificate specified in B<filename> must be in | |
0d7f6fc7 | 123 | PEM format. This option B<MUST> come before any B<-cert> options. |
b4b1bdd5 DSH |
124 | |
125 | =item B<-cert filename> | |
126 | ||
127 | Add the certificate B<filename> to the request. The issuer certificate | |
128 | is taken from the previous B<issuer> option, or an error occurs if no | |
129 | issuer certificate is specified. | |
130 | ||
131 | =item B<-serial num> | |
132 | ||
133 | Same as the B<cert> option except the certificate with serial number | |
bfcec27d DSH |
134 | B<num> is added to the request. The serial number is interpreted as a |
135 | decimal integer unless preceded by B<0x>. Negative integers can also | |
136 | be specified by preceding the value by a B<-> sign. | |
b4b1bdd5 DSH |
137 | |
138 | =item B<-signer filename>, B<-signkey filename> | |
139 | ||
140 | Sign the OCSP request using the certificate specified in the B<signer> | |
141 | option and the private key specified by the B<signkey> option. If | |
142 | the B<signkey> option is not present then the private key is read | |
143 | from the same file as the certificate. If neither option is specified then | |
144 | the OCSP request is not signed. | |
145 | ||
e5b0508a DSH |
146 | =item B<-sign_other filename> |
147 | ||
148 | Additional certificates to include in the signed request. | |
149 | ||
b4b1bdd5 DSH |
150 | =item B<-nonce>, B<-no_nonce> |
151 | ||
152 | Add an OCSP nonce extension to a request or disable OCSP nonce addition. | |
21c6c50f | 153 | Normally if an OCSP request is input using the B<reqin> option no |
b4b1bdd5 DSH |
154 | nonce is added: using the B<nonce> option will force addition of a nonce. |
155 | If an OCSP request is being created (using B<cert> and B<serial> options) | |
156 | a nonce is automatically added specifying B<no_nonce> overrides this. | |
157 | ||
158 | =item B<-req_text>, B<-resp_text>, B<-text> | |
159 | ||
c4de074e | 160 | Print out the text form of the OCSP request, response or both respectively. |
b4b1bdd5 DSH |
161 | |
162 | =item B<-reqout file>, B<-respout file> | |
163 | ||
c4de074e | 164 | Write out the DER encoded certificate request or response to B<file>. |
b4b1bdd5 DSH |
165 | |
166 | =item B<-reqin file>, B<-respin file> | |
167 | ||
c4de074e | 168 | Read OCSP request or response file from B<file>. These option are ignored |
b4b1bdd5 DSH |
169 | if OCSP request or response creation is implied by other options (for example |
170 | with B<serial>, B<cert> and B<host> options). | |
171 | ||
cc5ba6a7 DSH |
172 | =item B<-url responder_url> |
173 | ||
c4de074e | 174 | Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. |
cc5ba6a7 | 175 | |
b4b1bdd5 DSH |
176 | =item B<-host hostname:port>, B<-path pathname> |
177 | ||
c4de074e | 178 | If the B<host> option is present then the OCSP request is sent to the host |
b4b1bdd5 | 179 | B<hostname> on port B<port>. B<path> specifies the HTTP path name to use |
21c6c50f BK |
180 | or "/" by default. This is equivalent to specifying B<-url> with scheme |
181 | http:// and the given hostname, port, and pathname. | |
b4b1bdd5 | 182 | |
46aa6078 RS |
183 | =item B<-header name=value> |
184 | ||
185 | Adds the header B<name> with the specified B<value> to the OCSP request | |
186 | that is sent to the responder. | |
187 | This may be repeated. | |
188 | ||
de87dd46 AG |
189 | =item B<-timeout seconds> |
190 | ||
3e3c7c36 VD |
191 | Connection timeout to the OCSP responder in seconds. |
192 | On POSIX systems, when running as an OCSP responder, this option also limits | |
193 | the time that the responder is willing to wait for the client request. | |
194 | This time is measured from the time the responder accepts the connection until | |
195 | the complete request is received. | |
196 | ||
197 | =item B<-multi process-count> | |
198 | ||
199 | Run the specified number of OCSP responder child processes, with the parent | |
200 | process respawning child processes as needed. | |
201 | Child processes will detect changes in the CA index file and automatically | |
202 | reload it. | |
203 | When running as a responder B<-timeout> option is recommended to limit the time | |
204 | each child is willing to wait for the client's OCSP response. | |
205 | This option is available on POSIX systems (that support the fork() and other | |
206 | required unix system-calls). | |
de87dd46 | 207 | |
bfcec27d DSH |
208 | =item B<-CAfile file>, B<-CApath pathname> |
209 | ||
c4de074e | 210 | File or pathname containing trusted CA certificates. These are used to verify |
bfcec27d DSH |
211 | the signature on the OCSP response. |
212 | ||
40e2d76b MC |
213 | =item B<-no-CAfile> |
214 | ||
215 | Do not load the trusted CA certificates from the default file location | |
216 | ||
217 | =item B<-no-CApath> | |
218 | ||
219 | Do not load the trusted CA certificates from the default directory location | |
220 | ||
e42d84be | 221 | =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, |
d33def66 | 222 | B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, |
5a1f853b | 223 | B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>, |
e42d84be | 224 | B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, |
d33def66 | 225 | B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, |
fbb82a60 VD |
226 | B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, |
227 | B<-verify_ip>, B<-verify_name>, B<-x509_strict> | |
6d3d5793 | 228 | |
e42d84be | 229 | Set different certificate verification options. |
fbb82a60 | 230 | See L<verify(1)> manual page for details. |
6d3d5793 | 231 | |
e5b0508a | 232 | =item B<-verify_other file> |
cc5ba6a7 | 233 | |
c4de074e | 234 | File containing additional certificates to search when attempting to locate |
cc5ba6a7 | 235 | the OCSP response signing certificate. Some responders omit the actual signer's |
3b80e3aa | 236 | certificate from the response: this option can be used to supply the necessary |
cc5ba6a7 DSH |
237 | certificate in such cases. |
238 | ||
239 | =item B<-trust_other> | |
240 | ||
c4de074e | 241 | The certificates specified by the B<-verify_other> option should be explicitly |
cc5ba6a7 | 242 | trusted and no additional checks will be performed on them. This is useful |
3b80e3aa | 243 | when the complete responder certificate chain is not available or trusting a |
cc5ba6a7 DSH |
244 | root CA is not appropriate. |
245 | ||
246 | =item B<-VAfile file> | |
247 | ||
c4de074e | 248 | File containing explicitly trusted responder certificates. Equivalent to the |
0d7f6fc7 | 249 | B<-verify_other> and B<-trust_other> options. |
cc5ba6a7 | 250 | |
bfcec27d DSH |
251 | =item B<-noverify> |
252 | ||
c4de074e P |
253 | Don't attempt to verify the OCSP response signature or the nonce |
254 | values. This option will normally only be used for debugging since it | |
255 | disables all verification of the responders certificate. | |
cc5ba6a7 DSH |
256 | |
257 | =item B<-no_intern> | |
258 | ||
c4de074e | 259 | Ignore certificates contained in the OCSP response when searching for the |
cc5ba6a7 | 260 | signers certificate. With this option the signers certificate must be specified |
0d7f6fc7 | 261 | with either the B<-verify_other> or B<-VAfile> options. |
cc5ba6a7 | 262 | |
e5b0508a | 263 | =item B<-no_signature_verify> |
cc5ba6a7 | 264 | |
c4de074e P |
265 | Don't check the signature on the OCSP response. Since this option |
266 | tolerates invalid signatures on OCSP responses it will normally only be | |
267 | used for testing purposes. | |
cc5ba6a7 DSH |
268 | |
269 | =item B<-no_cert_verify> | |
270 | ||
c4de074e P |
271 | Don't verify the OCSP response signers certificate at all. Since this |
272 | option allows the OCSP response to be signed by any certificate it should | |
273 | only be used for testing purposes. | |
cc5ba6a7 DSH |
274 | |
275 | =item B<-no_chain> | |
276 | ||
c4de074e | 277 | Do not use certificates in the response as additional untrusted CA |
cc5ba6a7 DSH |
278 | certificates. |
279 | ||
384dee51 DSH |
280 | =item B<-no_explicit> |
281 | ||
c4de074e | 282 | Do not explicitly trust the root CA if it is set to be trusted for OCSP signing. |
384dee51 | 283 | |
cc5ba6a7 DSH |
284 | =item B<-no_cert_checks> |
285 | ||
c4de074e | 286 | Don't perform any additional checks on the OCSP response signers certificate. |
cc5ba6a7 | 287 | That is do not make any checks to see if the signers certificate is authorised |
3b80e3aa | 288 | to provide the necessary status information: as a result this option should |
cc5ba6a7 DSH |
289 | only be used for testing purposes. |
290 | ||
291 | =item B<-validity_period nsec>, B<-status_age age> | |
292 | ||
c4de074e | 293 | These options specify the range of times, in seconds, which will be tolerated |
6302bbd2 DSH |
294 | in an OCSP response. Each certificate status response includes a B<notBefore> |
295 | time and an optional B<notAfter> time. The current time should fall between | |
296 | these two values, but the interval between the two times may be only a few | |
297 | seconds. In practice the OCSP responder and clients clocks may not be precisely | |
298 | synchronised and so such a check may fail. To avoid this the | |
299 | B<-validity_period> option can be used to specify an acceptable error range in | |
300 | seconds, the default value is 5 minutes. | |
301 | ||
302 | If the B<notAfter> time is omitted from a response then this means that new | |
303 | status information is immediately available. In this case the age of the | |
304 | B<notBefore> field is checked to see it is not older than B<age> seconds old. | |
305 | By default this additional check is not performed. | |
bfcec27d | 306 | |
0770c882 TS |
307 | =item B<-rcid I<digest>> |
308 | ||
309 | This option sets the digest algorithm to use for certificate identification | |
310 | in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can | |
311 | be used. The default is the same digest algorithm used in the request. | |
312 | ||
e75138ab | 313 | =item B<-I<digest>> |
cec2538c | 314 | |
c4de074e | 315 | This option sets digest algorithm to use for certificate identification in the |
6302bbd2 DSH |
316 | OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used. |
317 | The default is SHA-1. This option may be used multiple times to specify the | |
318 | digest used by subsequent certificate identifiers. | |
cec2538c | 319 | |
b4b1bdd5 DSH |
320 | =back |
321 | ||
0634424f | 322 | =head2 OCSP Server Options |
534a1ed0 DSH |
323 | |
324 | =over 4 | |
325 | ||
326 | =item B<-index indexfile> | |
327 | ||
c4de074e P |
328 | The B<indexfile> parameter is the name of a text index file in B<ca> |
329 | format containing certificate revocation information. | |
534a1ed0 | 330 | |
c4de074e P |
331 | If the B<index> option is specified the B<ocsp> utility is in responder |
332 | mode, otherwise it is in client mode. The request(s) the responder | |
333 | processes can be either specified on the command line (using B<issuer> | |
334 | and B<serial> options), supplied in a file (using the B<reqin> option) | |
335 | or via external OCSP clients (if B<port> or B<url> is specified). | |
534a1ed0 | 336 | |
c4de074e P |
337 | If the B<index> option is present then the B<CA> and B<rsigner> options |
338 | must also be present. | |
534a1ed0 DSH |
339 | |
340 | =item B<-CA file> | |
341 | ||
342 | CA certificate corresponding to the revocation information in B<indexfile>. | |
343 | ||
344 | =item B<-rsigner file> | |
345 | ||
346 | The certificate to sign OCSP responses with. | |
347 | ||
348 | =item B<-rother file> | |
349 | ||
350 | Additional certificates to include in the OCSP response. | |
351 | ||
352 | =item B<-resp_no_certs> | |
353 | ||
354 | Don't include any certificates in the OCSP response. | |
355 | ||
356 | =item B<-resp_key_id> | |
357 | ||
c4de074e P |
358 | Identify the signer certificate using the key ID, default is to use the |
359 | subject name. | |
534a1ed0 DSH |
360 | |
361 | =item B<-rkey file> | |
362 | ||
c4de074e P |
363 | The private key to sign OCSP responses with: if not present the file |
364 | specified in the B<rsigner> option is used. | |
534a1ed0 | 365 | |
89623f84 DC |
366 | =item B<-rsigopt nm:v> |
367 | ||
368 | Pass options to the signature algorithm when signing OCSP responses. | |
369 | Names and values of these options are algorithm-specific. | |
370 | ||
534a1ed0 DSH |
371 | =item B<-port portnum> |
372 | ||
c4de074e P |
373 | Port to listen for OCSP requests on. The port may also be specified |
374 | using the B<url> option. | |
534a1ed0 | 375 | |
bbe9c3d5 JB |
376 | =item B<-ignore_err> |
377 | ||
378 | Ignore malformed requests or responses: When acting as an OCSP client, retry if | |
379 | a malformed response is received. When acting as an OCSP responder, continue | |
380 | running instead of terminating upon receiving a malformed request. | |
381 | ||
534a1ed0 DSH |
382 | =item B<-nrequest number> |
383 | ||
1bc74519 | 384 | The OCSP server will exit after receiving B<number> requests, default unlimited. |
534a1ed0 DSH |
385 | |
386 | =item B<-nmin minutes>, B<-ndays days> | |
387 | ||
c4de074e P |
388 | Number of minutes or days when fresh revocation information is available: |
389 | used in the B<nextUpdate> field. If neither option is present then the | |
390 | B<nextUpdate> field is omitted meaning fresh revocation information is | |
391 | immediately available. | |
534a1ed0 DSH |
392 | |
393 | =back | |
394 | ||
bfcec27d DSH |
395 | =head1 OCSP Response verification. |
396 | ||
397 | OCSP Response follows the rules specified in RFC2560. | |
398 | ||
399 | Initially the OCSP responder certificate is located and the signature on | |
3b80e3aa | 400 | the OCSP request checked using the responder certificate's public key. |
bfcec27d DSH |
401 | |
402 | Then a normal certificate verify is performed on the OCSP responder certificate | |
403 | building up a certificate chain in the process. The locations of the trusted | |
404 | certificates used to build the chain can be specified by the B<CAfile> | |
405 | and B<CApath> options or they will be looked for in the standard OpenSSL | |
406 | certificates directory. | |
407 | ||
408 | If the initial verify fails then the OCSP verify process halts with an | |
409 | error. | |
410 | ||
411 | Otherwise the issuing CA certificate in the request is compared to the OCSP | |
412 | responder certificate: if there is a match then the OCSP verify succeeds. | |
413 | ||
414 | Otherwise the OCSP responder certificate's CA is checked against the issuing | |
415 | CA certificate in the request. If there is a match and the OCSPSigning | |
416 | extended key usage is present in the OCSP responder certificate then the | |
417 | OCSP verify succeeds. | |
418 | ||
384dee51 DSH |
419 | Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders |
420 | CA is checked to see if it is trusted for OCSP signing. If it is the OCSP | |
421 | verify succeeds. | |
bfcec27d DSH |
422 | |
423 | If none of these checks is successful then the OCSP verify fails. | |
424 | ||
425 | What this effectively means if that if the OCSP responder certificate is | |
426 | authorised directly by the CA it is issuing revocation information about | |
427 | (and it is correctly configured) then verification will succeed. | |
428 | ||
429 | If the OCSP responder is a "global responder" which can give details about | |
430 | multiple CAs and has its own separate certificate chain then its root | |
cc5ba6a7 | 431 | CA can be trusted for OCSP signing. For example: |
bfcec27d DSH |
432 | |
433 | openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem | |
434 | ||
cc5ba6a7 DSH |
435 | Alternatively the responder certificate itself can be explicitly trusted |
436 | with the B<-VAfile> option. | |
b4b1bdd5 | 437 | |
cc5ba6a7 | 438 | =head1 NOTES |
b4b1bdd5 | 439 | |
cc5ba6a7 DSH |
440 | As noted, most of the verify options are for testing or debugging purposes. |
441 | Normally only the B<-CApath>, B<-CAfile> and (if the responder is a 'global | |
442 | VA') B<-VAfile> options need to be used. | |
b4b1bdd5 | 443 | |
534a1ed0 DSH |
444 | The OCSP server is only useful for test and demonstration purposes: it is |
445 | not really usable as a full OCSP responder. It contains only a very | |
446 | simple HTTP request handling and can only handle the POST form of OCSP | |
447 | queries. It also handles requests serially meaning it cannot respond to | |
448 | new requests until it has processed the current one. The text index file | |
449 | format of revocation is also inefficient for large quantities of revocation | |
450 | data. | |
451 | ||
452 | It is possible to run the B<ocsp> application in responder mode via a CGI | |
21c6c50f | 453 | script using the B<reqin> and B<respout> options. |
534a1ed0 | 454 | |
b4b1bdd5 DSH |
455 | =head1 EXAMPLES |
456 | ||
457 | Create an OCSP request and write it to a file: | |
458 | ||
459 | openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der | |
460 | ||
1bc74519 | 461 | Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the |
21c6c50f | 462 | response to a file, print it out in text form, and verify the response: |
b4b1bdd5 DSH |
463 | |
464 | openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ | |
cc5ba6a7 | 465 | -url http://ocsp.myhost.com/ -resp_text -respout resp.der |
b4b1bdd5 DSH |
466 | |
467 | Read in an OCSP response and print out text form: | |
468 | ||
21c6c50f | 469 | openssl ocsp -respin resp.der -text -noverify |
b4b1bdd5 | 470 | |
534a1ed0 DSH |
471 | OCSP server on port 8888 using a standard B<ca> configuration, and a separate |
472 | responder certificate. All requests and responses are printed to a file. | |
473 | ||
474 | openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem | |
1bc74519 | 475 | -text -out log.txt |
534a1ed0 DSH |
476 | |
477 | As above but exit after processing one request: | |
478 | ||
479 | openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem | |
480 | -nrequest 1 | |
481 | ||
21c6c50f | 482 | Query status information using an internally generated request: |
534a1ed0 DSH |
483 | |
484 | openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | |
485 | -issuer demoCA/cacert.pem -serial 1 | |
486 | ||
21c6c50f BK |
487 | Query status information using request read from a file, and write the response |
488 | to a second file. | |
534a1ed0 DSH |
489 | |
490 | openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | |
491 | -reqin req.der -respout resp.der | |
fa7b0111 MC |
492 | |
493 | =head1 HISTORY | |
494 | ||
fc5ecadd | 495 | The -no_alt_chains option was added in OpenSSL 1.1.0. |
fa7b0111 | 496 | |
e2f92610 RS |
497 | =head1 COPYRIGHT |
498 | ||
b6b66573 | 499 | Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 500 | |
449040b4 | 501 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
502 | this file except in compliance with the License. You can obtain a copy |
503 | in the file LICENSE in the source distribution or at | |
504 | L<https://www.openssl.org/source/license.html>. | |
505 | ||
506 | =cut |