ocsp.1s
Query OCSP responder for certificate revocation status
SYNOPSIS
ocsp [options]
PARAMETERS
-CAfile
Trusted CA certificates
-cert
The certificate to check
-issuer
The issuer certificate of the certificate being checked.
-noverify
Do not verify the OCSP response's signature
-no_nonce
Do not include a nonce in the OCSP request
-resp_no_certs
Do not include certificates in the OCSP response
-reqin
OCSP request file
-respin
OCSP response file
-url
OCSP responder URL
-index
CA database index file.
-CA
Trusted CA certificates directory
-serial
The serial number of certificate to check
DESCRIPTION
The ocsp command is a command-line tool used to query OCSP (Online Certificate Status Protocol) responders for the revocation status of digital certificates.
It allows users to verify whether a certificate is still valid or has been revoked by the issuing Certificate Authority (CA). The command provides various options to specify the OCSP responder URL, the certificate to be checked, the issuer certificate, and other parameters to customize the OCSP request. It is commonly used in automated systems or scripts to ensure that only valid certificates are trusted.
By querying an OCSP responder, ocsp retrieves a digitally signed response indicating the certificate's status (good, revoked, or unknown). This response is then validated to ensure authenticity and integrity. The ocsp command is an essential tool for maintaining secure communication and verifying the trustworthiness of certificates in various applications, especially where real-time revocation checking is critical. It supports both GET and POST requests to OCSP responders. Properly configuring the command requires an understanding of OCSP and the PKI (Public Key Infrastructure) environment.
CAVEATS
The command relies on the OCSP responder being available and properly configured. Incorrect configuration can lead to false positives or false negatives regarding certificate revocation status.
Ensure that the OCSP responder URL is correct and the necessary certificates are available for verification.
ERROR HANDLING
Common errors include issues with network connectivity to the OCSP responder, certificate validation failures, or incorrect parameter specifications. Always check the error messages and consult the OpenSSL documentation for guidance.
EXAMPLES
Basic OCSP request:
ocsp -CAfile ca.pem -cert client.pem -issuer issuer.pem -url http://ocsp.example.com
This example checks the revocation status of client.pem, using issuer.pem as the issuer certificate and ca.pem as the trusted CA and querying the OCSP responder at http://ocsp.example.com.
SEE ALSO
openssl(1), x509(1)