LinuxCommandLibrary

ocsp.1s

Query OCSP responder for certificate revocation status

SYNOPSIS

ocsp [options]

PARAMETERS

-CAfile
    Trusted CA certificates

-cert
    The certificate to check

-issuer
    The issuer certificate of the certificate being checked.

-noverify
    Do not verify the OCSP response's signature

-no_nonce
    Do not include a nonce in the OCSP request

-resp_no_certs
    Do not include certificates in the OCSP response

-reqin
    OCSP request file

-respin
    OCSP response file

-url
    OCSP responder URL

-index
    CA database index file.

-CA
    Trusted CA certificates directory

-serial
    The serial number of certificate to check

DESCRIPTION

The ocsp command is a command-line tool used to query OCSP (Online Certificate Status Protocol) responders for the revocation status of digital certificates.
It allows users to verify whether a certificate is still valid or has been revoked by the issuing Certificate Authority (CA). The command provides various options to specify the OCSP responder URL, the certificate to be checked, the issuer certificate, and other parameters to customize the OCSP request. It is commonly used in automated systems or scripts to ensure that only valid certificates are trusted.
By querying an OCSP responder, ocsp retrieves a digitally signed response indicating the certificate's status (good, revoked, or unknown). This response is then validated to ensure authenticity and integrity. The ocsp command is an essential tool for maintaining secure communication and verifying the trustworthiness of certificates in various applications, especially where real-time revocation checking is critical. It supports both GET and POST requests to OCSP responders. Properly configuring the command requires an understanding of OCSP and the PKI (Public Key Infrastructure) environment.

CAVEATS

The command relies on the OCSP responder being available and properly configured. Incorrect configuration can lead to false positives or false negatives regarding certificate revocation status.
Ensure that the OCSP responder URL is correct and the necessary certificates are available for verification.

ERROR HANDLING

Common errors include issues with network connectivity to the OCSP responder, certificate validation failures, or incorrect parameter specifications. Always check the error messages and consult the OpenSSL documentation for guidance.

EXAMPLES

Basic OCSP request:
ocsp -CAfile ca.pem -cert client.pem -issuer issuer.pem -url http://ocsp.example.com

This example checks the revocation status of client.pem, using issuer.pem as the issuer certificate and ca.pem as the trusted CA and querying the OCSP responder at http://ocsp.example.com.

SEE ALSO

openssl(1), x509(1)

Copied to clipboard