diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/ocsp.1')
-rw-r--r-- | secure/usr.bin/openssl/man/ocsp.1 | 584 |
1 files changed, 0 insertions, 584 deletions
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 deleted file mode 100644 index 218af7beb0c4..000000000000 --- a/secure/usr.bin/openssl/man/ocsp.1 +++ /dev/null @@ -1,584 +0,0 @@ -.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{\ -. if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "OCSP 1" -.TH OCSP 1 "2022-05-03" "1.1.1o" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -openssl\-ocsp, ocsp \- Online Certificate Status Protocol utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBocsp\fR -[\fB\-help\fR] -[\fB\-out file\fR] -[\fB\-issuer file\fR] -[\fB\-cert file\fR] -[\fB\-serial n\fR] -[\fB\-signer file\fR] -[\fB\-signkey file\fR] -[\fB\-sign_other file\fR] -[\fB\-no_certs\fR] -[\fB\-req_text\fR] -[\fB\-resp_text\fR] -[\fB\-text\fR] -[\fB\-reqout file\fR] -[\fB\-respout file\fR] -[\fB\-reqin file\fR] -[\fB\-respin file\fR] -[\fB\-nonce\fR] -[\fB\-no_nonce\fR] -[\fB\-url \s-1URL\s0\fR] -[\fB\-host host:port\fR] -[\fB\-multi process-count\fR] -[\fB\-header\fR] -[\fB\-path\fR] -[\fB\-CApath dir\fR] -[\fB\-CAfile file\fR] -[\fB\-no\-CAfile\fR] -[\fB\-no\-CApath\fR] -[\fB\-attime timestamp\fR] -[\fB\-check_ss_sig\fR] -[\fB\-crl_check\fR] -[\fB\-crl_check_all\fR] -[\fB\-explicit_policy\fR] -[\fB\-extended_crl\fR] -[\fB\-ignore_critical\fR] -[\fB\-inhibit_any\fR] -[\fB\-inhibit_map\fR] -[\fB\-no_check_time\fR] -[\fB\-partial_chain\fR] -[\fB\-policy arg\fR] -[\fB\-policy_check\fR] -[\fB\-policy_print\fR] -[\fB\-purpose purpose\fR] -[\fB\-suiteB_128\fR] -[\fB\-suiteB_128_only\fR] -[\fB\-suiteB_192\fR] -[\fB\-trusted_first\fR] -[\fB\-no_alt_chains\fR] -[\fB\-use_deltas\fR] -[\fB\-auth_level num\fR] -[\fB\-verify_depth num\fR] -[\fB\-verify_email email\fR] -[\fB\-verify_hostname hostname\fR] -[\fB\-verify_ip ip\fR] -[\fB\-verify_name name\fR] -[\fB\-x509_strict\fR] -[\fB\-VAfile file\fR] -[\fB\-validity_period n\fR] -[\fB\-status_age n\fR] -[\fB\-noverify\fR] -[\fB\-verify_other file\fR] -[\fB\-trust_other\fR] -[\fB\-no_intern\fR] -[\fB\-no_signature_verify\fR] -[\fB\-no_cert_verify\fR] -[\fB\-no_chain\fR] -[\fB\-no_cert_checks\fR] -[\fB\-no_explicit\fR] -[\fB\-port num\fR] -[\fB\-ignore_err\fR] -[\fB\-index file\fR] -[\fB\-CA file\fR] -[\fB\-rsigner file\fR] -[\fB\-rkey file\fR] -[\fB\-rother file\fR] -[\fB\-rsigopt nm:v\fR] -[\fB\-resp_no_certs\fR] -[\fB\-nmin n\fR] -[\fB\-ndays n\fR] -[\fB\-resp_key_id\fR] -[\fB\-nrequest n\fR] -[\fB\-\f(BIdigest\fB\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to -determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0). -.PP -The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used -to print out requests and responses, create requests and send queries -to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself. -.SH "OPTIONS" -.IX Header "OPTIONS" -This command operates as either a client or a server. -The options are described below, divided into those two modes. -.SS "\s-1OCSP\s0 Client Options" -.IX Subsection "OCSP Client Options" -.IP "\fB\-help\fR" 4 -.IX Item "-help" -Print out a usage message. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -specify output filename, default is standard output. -.IP "\fB\-issuer filename\fR" 4 -.IX Item "-issuer filename" -This specifies the current issuer certificate. This option can be used -multiple times. The certificate specified in \fBfilename\fR must be in -\&\s-1PEM\s0 format. This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options. -.IP "\fB\-cert filename\fR" 4 -.IX Item "-cert filename" -Add the certificate \fBfilename\fR to the request. The issuer certificate -is taken from the previous \fBissuer\fR option, or an error occurs if no -issuer certificate is specified. -.IP "\fB\-serial num\fR" 4 -.IX Item "-serial num" -Same as the \fBcert\fR option except the certificate with serial number -\&\fBnum\fR is added to the request. The serial number is interpreted as a -decimal integer unless preceded by \fB0x\fR. Negative integers can also -be specified by preceding the value by a \fB\-\fR sign. -.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4 -.IX Item "-signer filename, -signkey filename" -Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR -option and the private key specified by the \fBsignkey\fR option. If -the \fBsignkey\fR option is not present then the private key is read -from the same file as the certificate. If neither option is specified then -the \s-1OCSP\s0 request is not signed. -.IP "\fB\-sign_other filename\fR" 4 -.IX Item "-sign_other filename" -Additional certificates to include in the signed request. -.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4 -.IX Item "-nonce, -no_nonce" -Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition. -Normally if an \s-1OCSP\s0 request is input using the \fBreqin\fR option no -nonce is added: using the \fBnonce\fR option will force addition of a nonce. -If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options) -a nonce is automatically added specifying \fBno_nonce\fR overrides this. -.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4 -.IX Item "-req_text, -resp_text, -text" -Print out the text form of the \s-1OCSP\s0 request, response or both respectively. -.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4 -.IX Item "-reqout file, -respout file" -Write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. -.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4 -.IX Item "-reqin file, -respin file" -Read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored -if \s-1OCSP\s0 request or response creation is implied by other options (for example -with \fBserial\fR, \fBcert\fR and \fBhost\fR options). -.IP "\fB\-url responder_url\fR" 4 -.IX Item "-url responder_url" -Specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified. -.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4 -.IX Item "-host hostname:port, -path pathname" -If the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host -\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 pathname to use -or \*(L"/\*(R" by default. This is equivalent to specifying \fB\-url\fR with scheme -http:// and the given hostname, port, and pathname. -.IP "\fB\-header name=value\fR" 4 -.IX Item "-header name=value" -Adds the header \fBname\fR with the specified \fBvalue\fR to the \s-1OCSP\s0 request -that is sent to the responder. -This may be repeated. -.IP "\fB\-timeout seconds\fR" 4 -.IX Item "-timeout seconds" -Connection timeout to the \s-1OCSP\s0 responder in seconds. -On \s-1POSIX\s0 systems, when running as an \s-1OCSP\s0 responder, this option also limits -the time that the responder is willing to wait for the client request. -This time is measured from the time the responder accepts the connection until -the complete request is received. -.IP "\fB\-multi process-count\fR" 4 -.IX Item "-multi process-count" -Run the specified number of \s-1OCSP\s0 responder child processes, with the parent -process respawning child processes as needed. -Child processes will detect changes in the \s-1CA\s0 index file and automatically -reload it. -When running as a responder \fB\-timeout\fR option is recommended to limit the time -each child is willing to wait for the client's \s-1OCSP\s0 response. -This option is available on \s-1POSIX\s0 systems (that support the \fBfork()\fR and other -required unix system-calls). -.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4 -.IX Item "-CAfile file, -CApath pathname" -File or pathname containing trusted \s-1CA\s0 certificates. These are used to verify -the signature on the \s-1OCSP\s0 response. -.IP "\fB\-no\-CAfile\fR" 4 -.IX Item "-no-CAfile" -Do not load the trusted \s-1CA\s0 certificates from the default file location -.IP "\fB\-no\-CApath\fR" 4 -.IX Item "-no-CApath" -Do not load the trusted \s-1CA\s0 certificates from the default directory location -.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 -.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" -Set different certificate verification options. -See \fBverify\fR\|(1) manual page for details. -.IP "\fB\-verify_other file\fR" 4 -.IX Item "-verify_other file" -File containing additional certificates to search when attempting to locate -the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's -certificate from the response: this option can be used to supply the necessary -certificate in such cases. -.IP "\fB\-trust_other\fR" 4 -.IX Item "-trust_other" -The certificates specified by the \fB\-verify_other\fR option should be explicitly -trusted and no additional checks will be performed on them. This is useful -when the complete responder certificate chain is not available or trusting a -root \s-1CA\s0 is not appropriate. -.IP "\fB\-VAfile file\fR" 4 -.IX Item "-VAfile file" -File containing explicitly trusted responder certificates. Equivalent to the -\&\fB\-verify_other\fR and \fB\-trust_other\fR options. -.IP "\fB\-noverify\fR" 4 -.IX Item "-noverify" -Don't attempt to verify the \s-1OCSP\s0 response signature or the nonce -values. This option will normally only be used for debugging since it -disables all verification of the responders certificate. -.IP "\fB\-no_intern\fR" 4 -.IX Item "-no_intern" -Ignore certificates contained in the \s-1OCSP\s0 response when searching for the -signers certificate. With this option the signers certificate must be specified -with either the \fB\-verify_other\fR or \fB\-VAfile\fR options. -.IP "\fB\-no_signature_verify\fR" 4 -.IX Item "-no_signature_verify" -Don't check the signature on the \s-1OCSP\s0 response. Since this option -tolerates invalid signatures on \s-1OCSP\s0 responses it will normally only be -used for testing purposes. -.IP "\fB\-no_cert_verify\fR" 4 -.IX Item "-no_cert_verify" -Don't verify the \s-1OCSP\s0 response signers certificate at all. Since this -option allows the \s-1OCSP\s0 response to be signed by any certificate it should -only be used for testing purposes. -.IP "\fB\-no_chain\fR" 4 -.IX Item "-no_chain" -Do not use certificates in the response as additional untrusted \s-1CA\s0 -certificates. -.IP "\fB\-no_explicit\fR" 4 -.IX Item "-no_explicit" -Do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing. -.IP "\fB\-no_cert_checks\fR" 4 -.IX Item "-no_cert_checks" -Don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. -That is do not make any checks to see if the signers certificate is authorised -to provide the necessary status information: as a result this option should -only be used for testing purposes. -.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4 -.IX Item "-validity_period nsec, -status_age age" -These options specify the range of times, in seconds, which will be tolerated -in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR -time and an optional \fBnotAfter\fR time. The current time should fall between -these two values, but the interval between the two times may be only a few -seconds. In practice the \s-1OCSP\s0 responder and clients clocks may not be precisely -synchronised and so such a check may fail. To avoid this the -\&\fB\-validity_period\fR option can be used to specify an acceptable error range in -seconds, the default value is 5 minutes. -.Sp -If the \fBnotAfter\fR time is omitted from a response then this means that new -status information is immediately available. In this case the age of the -\&\fBnotBefore\fR field is checked to see it is not older than \fBage\fR seconds old. -By default this additional check is not performed. -.IP "\fB\-\f(BIdigest\fB\fR" 4 -.IX Item "-digest" -This option sets digest algorithm to use for certificate identification in the -\&\s-1OCSP\s0 request. Any digest supported by the OpenSSL \fBdgst\fR command can be used. -The default is \s-1SHA\-1.\s0 This option may be used multiple times to specify the -digest used by subsequent certificate identifiers. -.SS "\s-1OCSP\s0 Server Options" -.IX Subsection "OCSP Server Options" -.IP "\fB\-index indexfile\fR" 4 -.IX Item "-index indexfile" -The \fBindexfile\fR parameter is the name of a text index file in \fBca\fR -format containing certificate revocation information. -.Sp -If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder -mode, otherwise it is in client mode. The request(s) the responder -processes can be either specified on the command line (using \fBissuer\fR -and \fBserial\fR options), supplied in a file (using the \fBreqin\fR option) -or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). -.Sp -If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options -must also be present. -.IP "\fB\-CA file\fR" 4 -.IX Item "-CA file" -\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR. -.IP "\fB\-rsigner file\fR" 4 -.IX Item "-rsigner file" -The certificate to sign \s-1OCSP\s0 responses with. -.IP "\fB\-rother file\fR" 4 -.IX Item "-rother file" -Additional certificates to include in the \s-1OCSP\s0 response. -.IP "\fB\-resp_no_certs\fR" 4 -.IX Item "-resp_no_certs" -Don't include any certificates in the \s-1OCSP\s0 response. -.IP "\fB\-resp_key_id\fR" 4 -.IX Item "-resp_key_id" -Identify the signer certificate using the key \s-1ID,\s0 default is to use the -subject name. -.IP "\fB\-rkey file\fR" 4 -.IX Item "-rkey file" -The private key to sign \s-1OCSP\s0 responses with: if not present the file -specified in the \fBrsigner\fR option is used. -.IP "\fB\-rsigopt nm:v\fR" 4 -.IX Item "-rsigopt nm:v" -Pass options to the signature algorithm when signing \s-1OCSP\s0 responses. -Names and values of these options are algorithm-specific. -.IP "\fB\-port portnum\fR" 4 -.IX Item "-port portnum" -Port to listen for \s-1OCSP\s0 requests on. The port may also be specified -using the \fBurl\fR option. -.IP "\fB\-ignore_err\fR" 4 -.IX Item "-ignore_err" -Ignore malformed requests or responses: When acting as an \s-1OCSP\s0 client, retry if -a malformed response is received. When acting as an \s-1OCSP\s0 responder, continue -running instead of terminating upon receiving a malformed request. -.IP "\fB\-nrequest number\fR" 4 -.IX Item "-nrequest number" -The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. -.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4 -.IX Item "-nmin minutes, -ndays days" -Number of minutes or days when fresh revocation information is available: -used in the \fBnextUpdate\fR field. If neither option is present then the -\&\fBnextUpdate\fR field is omitted meaning fresh revocation information is -immediately available. -.SH "OCSP Response verification." -.IX Header "OCSP Response verification." -\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0 -.PP -Initially the \s-1OCSP\s0 responder certificate is located and the signature on -the \s-1OCSP\s0 request checked using the responder certificate's public key. -.PP -Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate -building up a certificate chain in the process. The locations of the trusted -certificates used to build the chain can be specified by the \fBCAfile\fR -and \fBCApath\fR options or they will be looked for in the standard OpenSSL -certificates directory. -.PP -If the initial verify fails then the \s-1OCSP\s0 verify process halts with an -error. -.PP -Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0 -responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds. -.PP -Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing -\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning -extended key usage is present in the \s-1OCSP\s0 responder certificate then the -\&\s-1OCSP\s0 verify succeeds. -.PP -Otherwise, if \fB\-no_explicit\fR is \fBnot\fR set the root \s-1CA\s0 of the \s-1OCSP\s0 responders -\&\s-1CA\s0 is checked to see if it is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 -verify succeeds. -.PP -If none of these checks is successful then the \s-1OCSP\s0 verify fails. -.PP -What this effectively means if that if the \s-1OCSP\s0 responder certificate is -authorised directly by the \s-1CA\s0 it is issuing revocation information about -(and it is correctly configured) then verification will succeed. -.PP -If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about -multiple CAs and has its own separate certificate chain then its root -\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example: -.PP -.Vb 1 -\& openssl x509 \-in ocspCA.pem \-addtrust OCSPSigning \-out trustedCA.pem -.Ve -.PP -Alternatively the responder certificate itself can be explicitly trusted -with the \fB\-VAfile\fR option. -.SH "NOTES" -.IX Header "NOTES" -As noted, most of the verify options are for testing or debugging purposes. -Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global -\&\s-1VA\s0') \fB\-VAfile\fR options need to be used. -.PP -The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is -not really usable as a full \s-1OCSP\s0 responder. It contains only a very -simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0 -queries. It also handles requests serially meaning it cannot respond to -new requests until it has processed the current one. The text index file -format of revocation is also inefficient for large quantities of revocation -data. -.PP -It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0 -script using the \fBreqin\fR and \fBrespout\fR options. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Create an \s-1OCSP\s0 request and write it to a file: -.PP -.Vb 1 -\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der -.Ve -.PP -Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the -response to a file, print it out in text form, and verify the response: -.PP -.Vb 2 -\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e -\& \-url http://ocsp.myhost.com/ \-resp_text \-respout resp.der -.Ve -.PP -Read in an \s-1OCSP\s0 response and print out text form: -.PP -.Vb 1 -\& openssl ocsp \-respin resp.der \-text \-noverify -.Ve -.PP -\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate -responder certificate. All requests and responses are printed to a file. -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-text \-out log.txt -.Ve -.PP -As above but exit after processing one request: -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-nrequest 1 -.Ve -.PP -Query status information using an internally generated request: -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-issuer demoCA/cacert.pem \-serial 1 -.Ve -.PP -Query status information using request read from a file, and write the response -to a second file. -.PP -.Vb 2 -\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem -\& \-reqin req.der \-respout resp.der -.Ve -.SH "HISTORY" -.IX Header "HISTORY" -The \-no_alt_chains option was added in OpenSSL 1.1.0. -.SH "COPYRIGHT" -.IX Header "COPYRIGHT" -Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved. -.PP -Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file \s-1LICENSE\s0 in the source distribution or at -<https://www.openssl.org/source/license.html>. |