OCSP request, and it should contain the OCSP request in binary DER
format.
-@smallexample
+@example
$ ocsptool -i -Q ocsp-request.der
-@end smallexample
+@end example
The input file may also be sent to standard input like this:
-@smallexample
+@example
$ cat ocsp-request.der | ocsptool --request-info
-@end smallexample
+@end example
@subheading Print information about an OCSP response
Similar to parsing OCSP requests, OCSP responses can be parsed using
the @code{-j} or @code{--response-info} as follows.
-@smallexample
+@example
$ ocsptool -j -Q ocsp-response.der
$ cat ocsp-response.der | ocsptool --response-info
-@end smallexample
+@end example
@subheading Generate an OCSP request
format is used for these files, although @code{--inder} can be used to
specify that the input files are in DER format.
-@smallexample
+@example
$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem --outfile ocsp-request.der
-@end smallexample
+@end example
When generating OCSP requests, the tool will add an OCSP extension
containing a nonce. This behaviour can be disabled by specifying
certificate needs to be in the set of trust anchors and the OCSP
Extended Key Usage bit has to be asserted in the signer certificate.
-@smallexample
+@example
$ ocsptool -e --load-trust issuer.pem --load-response ocsp-response.der
-@end smallexample
+@end example
The tool will print status of verification.
one certificate and it will be used to verify the signature in the
OCSP response. It will not check the Extended Key Usage bit.
-@smallexample
+@example
$ ocsptool -e --load-signer ocsp-signer.pem --load-response ocsp-response.der
-@end smallexample
+@end example
This approach is normally only relevant in two situations. The first
is when the OCSP response does not contain a copy of the signer
copy of the server certificate chain. The server is not required to
send this information, but this particular one is configured to do so.
-@smallexample
+@example
$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem
-@end smallexample
+@end example
Use a text editor on @code{chain.pem} to create three files for each
separate certificates, called @code{cert.pem} for the first
extension. For example, from @code{certtool -i < cert.pem} there is
this information:
-@smallexample
+@example
Authority Information Access Information (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ocsp.CAcert.org/
-@end smallexample
+@end example
This means the CA support OCSP queries over HTTP. We are now ready to
create a OCSP request for the certificate.
-@smallexample
+@example
$ ocsptool --generate-request --load-issuer issuer.pem --load-cert cert.pem --outfile ocsp-request.der
-@end smallexample
+@end example
The request is sent base64 encoded via HTTP to the address indicated
by the id-ad-ocsp extension, as follows.
-@smallexample
+@example
$ wget -O ocsp-response.der http://ocsp.CAcert.org/$(base64 -w0 ocsp-request.der)
-@end smallexample
+@end example
The OCSP response is now in the file @code{ocsp-response.der} and you
can view it using @code{ocsptool -j < ocsp-response.der}. To verify
the signature you need to load the issuer as the trust anchor.
-@smallexample
+@example
$ ocsptool --verify-response --load-trust issuer.pem --load-response ocsp-response.der
Verifying OCSP Response: Success.
$
-@end smallexample
+@end example
This particular OCSP responder includes its signer certificate in the
OCSP respnose, so you may extract it and use it together with
@code{--load-signer} for verifying the signature directly against the
certificate.
-@smallexample
+@example
$ ocsptool -j < ocsp-response.der > signer.pem
$ ocsptool --verify-response --load-signer signer.pem --load-response ocsp-response.der
Verifying OCSP Response: Success.
$
-@end smallexample
+@end example
You may experiment passing different certificates to
@code{--load-trust} and @code{--load-signer} to find common error
the License in the document and put the following copyright and
license notices just after the title page:
-@smallexample
+@example
@group
Copyright (C) @var{year} @var{your name}.
Permission is granted to copy, distribute and/or modify this document
Texts. A copy of the license is included in the section entitled ``GNU
Free Documentation License''.
@end group
-@end smallexample
+@end example
If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts,
replace the ``with@dots{}Texts.''@: line with this:
-@smallexample
+@example
@group
with the Invariant Sections being @var{list their titles}, with
the Front-Cover Texts being @var{list}, and with the Back-Cover Texts
being @var{list}.
@end group
-@end smallexample
+@end example
If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the