Merge branch 'vendor/OPENSSL'
[dragonfly.git] / secure / usr.bin / openssl / man / ocsp.1
CommitLineData
e257b235 1.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
28.\" double quote, and \*(R" will give a right double quote. \*(C+ will
29.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
30.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
31.\" nothing in troff, for use with C<>.
32.tr \(*W-
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb 50.\"
e257b235
PA
51.\" Escape single quotes in literal strings from groff's Unicode transform.
52.ie \n(.g .ds Aq \(aq
53.el .ds Aq '
54.\"
8b0cefbb
JR
55.\" If the F register is turned on, we'll generate index entries on stderr for
56.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
57.\" entries marked with X<> in POD. Of course, you'll have to process the
58.\" output yourself in some meaningful fashion.
e257b235 59.ie \nF \{\
8b0cefbb
JR
60. de IX
61. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 62..
8b0cefbb
JR
63. nr % 0
64. rr F
984263bc 65.\}
e257b235
PA
66.el \{\
67. de IX
68..
69.\}
aac4ff6f 70.\"
8b0cefbb
JR
71.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
72.\" Fear. Run. Save yourself. No user-serviceable parts.
73. \" fudge factors for nroff and troff
984263bc 74.if n \{\
8b0cefbb
JR
75. ds #H 0
76. ds #V .8m
77. ds #F .3m
78. ds #[ \f1
79. ds #] \fP
984263bc
MD
80.\}
81.if t \{\
8b0cefbb
JR
82. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
83. ds #V .6m
84. ds #F 0
85. ds #[ \&
86. ds #] \&
984263bc 87.\}
8b0cefbb 88. \" simple accents for nroff and troff
984263bc 89.if n \{\
8b0cefbb
JR
90. ds ' \&
91. ds ` \&
92. ds ^ \&
93. ds , \&
94. ds ~ ~
95. ds /
984263bc
MD
96.\}
97.if t \{\
8b0cefbb
JR
98. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
99. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
100. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
101. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
102. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
103. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 104.\}
8b0cefbb 105. \" troff and (daisy-wheel) nroff accents
984263bc
MD
106.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
107.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
108.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
109.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
110.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
111.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
112.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
113.ds ae a\h'-(\w'a'u*4/10)'e
114.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 115. \" corrections for vroff
984263bc
MD
116.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
117.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 118. \" for low resolution devices (crt and lpr)
984263bc
MD
119.if \n(.H>23 .if \n(.V>19 \
120\{\
8b0cefbb
JR
121. ds : e
122. ds 8 ss
123. ds o a
124. ds d- d\h'-1'\(ga
125. ds D- D\h'-1'\(hy
126. ds th \o'bp'
127. ds Th \o'LP'
128. ds ae ae
129. ds Ae AE
984263bc
MD
130.\}
131.rm #[ #] #H #V #F C
8b0cefbb
JR
132.\" ========================================================================
133.\"
134.IX Title "OCSP 1"
fc468453 135.TH OCSP 1 "2010-02-27" "0.9.8m" "OpenSSL"
e257b235
PA
136.\" For nroff, turn off justification. Always turn off hyphenation; it makes
137.\" way too many mistakes in technical documents.
138.if n .ad l
139.nh
984263bc
MD
140.SH "NAME"
141ocsp \- Online Certificate Status Protocol utility
142.SH "SYNOPSIS"
8b0cefbb
JR
143.IX Header "SYNOPSIS"
144\&\fBopenssl\fR \fBocsp\fR
984263bc
MD
145[\fB\-out file\fR]
146[\fB\-issuer file\fR]
147[\fB\-cert file\fR]
148[\fB\-serial n\fR]
e3cdf75b
JR
149[\fB\-signer file\fR]
150[\fB\-signkey file\fR]
151[\fB\-sign_other file\fR]
152[\fB\-no_certs\fR]
984263bc
MD
153[\fB\-req_text\fR]
154[\fB\-resp_text\fR]
155[\fB\-text\fR]
156[\fB\-reqout file\fR]
157[\fB\-respout file\fR]
158[\fB\-reqin file\fR]
159[\fB\-respin file\fR]
160[\fB\-nonce\fR]
161[\fB\-no_nonce\fR]
8b0cefbb 162[\fB\-url \s-1URL\s0\fR]
984263bc
MD
163[\fB\-host host:n\fR]
164[\fB\-path\fR]
e3cdf75b 165[\fB\-CApath dir\fR]
984263bc
MD
166[\fB\-CAfile file\fR]
167[\fB\-VAfile file\fR]
e3cdf75b
JR
168[\fB\-validity_period n\fR]
169[\fB\-status_age n\fR]
984263bc 170[\fB\-noverify\fR]
e3cdf75b 171[\fB\-verify_other file\fR]
984263bc
MD
172[\fB\-trust_other\fR]
173[\fB\-no_intern\fR]
e3cdf75b 174[\fB\-no_signature_verify\fR]
984263bc
MD
175[\fB\-no_cert_verify\fR]
176[\fB\-no_chain\fR]
177[\fB\-no_cert_checks\fR]
e3cdf75b
JR
178[\fB\-port num\fR]
179[\fB\-index file\fR]
180[\fB\-CA file\fR]
181[\fB\-rsigner file\fR]
182[\fB\-rkey file\fR]
183[\fB\-rother file\fR]
184[\fB\-resp_no_certs\fR]
185[\fB\-nmin n\fR]
186[\fB\-ndays n\fR]
187[\fB\-resp_key_id\fR]
188[\fB\-nrequest n\fR]
984263bc 189.SH "DESCRIPTION"
8b0cefbb
JR
190.IX Header "DESCRIPTION"
191The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
192determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560).
984263bc 193.PP
8b0cefbb 194The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used
984263bc 195to print out requests and responses, create requests and send queries
8b0cefbb 196to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
984263bc 197.SH "OCSP CLIENT OPTIONS"
8b0cefbb
JR
198.IX Header "OCSP CLIENT OPTIONS"
199.IP "\fB\-out filename\fR" 4
200.IX Item "-out filename"
984263bc 201specify output filename, default is standard output.
8b0cefbb
JR
202.IP "\fB\-issuer filename\fR" 4
203.IX Item "-issuer filename"
984263bc
MD
204This specifies the current issuer certificate. This option can be used
205multiple times. The certificate specified in \fBfilename\fR must be in
aac4ff6f 206\&\s-1PEM\s0 format. This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options.
8b0cefbb
JR
207.IP "\fB\-cert filename\fR" 4
208.IX Item "-cert filename"
984263bc
MD
209Add the certificate \fBfilename\fR to the request. The issuer certificate
210is taken from the previous \fBissuer\fR option, or an error occurs if no
211issuer certificate is specified.
8b0cefbb
JR
212.IP "\fB\-serial num\fR" 4
213.IX Item "-serial num"
984263bc 214Same as the \fBcert\fR option except the certificate with serial number
8b0cefbb 215\&\fBnum\fR is added to the request. The serial number is interpreted as a
984263bc 216decimal integer unless preceded by \fB0x\fR. Negative integers can also
e3cdf75b 217be specified by preceding the value by a \fB\-\fR sign.
8b0cefbb
JR
218.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4
219.IX Item "-signer filename, -signkey filename"
984263bc
MD
220Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR
221option and the private key specified by the \fBsignkey\fR option. If
222the \fBsignkey\fR option is not present then the private key is read
223from the same file as the certificate. If neither option is specified then
224the \s-1OCSP\s0 request is not signed.
8b0cefbb
JR
225.IP "\fB\-sign_other filename\fR" 4
226.IX Item "-sign_other filename"
e3cdf75b 227Additional certificates to include in the signed request.
8b0cefbb
JR
228.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
229.IX Item "-nonce, -no_nonce"
984263bc
MD
230Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
231Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no
232nonce is added: using the \fBnonce\fR option will force addition of a nonce.
233If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options)
234a nonce is automatically added specifying \fBno_nonce\fR overrides this.
8b0cefbb
JR
235.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
236.IX Item "-req_text, -resp_text, -text"
984263bc 237print out the text form of the \s-1OCSP\s0 request, response or both respectively.
8b0cefbb
JR
238.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4
239.IX Item "-reqout file, -respout file"
984263bc 240write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR.
8b0cefbb
JR
241.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4
242.IX Item "-reqin file, -respin file"
984263bc
MD
243read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored
244if \s-1OCSP\s0 request or response creation is implied by other options (for example
245with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
8b0cefbb
JR
246.IP "\fB\-url responder_url\fR" 4
247.IX Item "-url responder_url"
984263bc 248specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
8b0cefbb
JR
249.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
250.IX Item "-host hostname:port, -path pathname"
984263bc 251if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
8b0cefbb 252\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use
984263bc 253or \*(L"/\*(R" by default.
8b0cefbb
JR
254.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
255.IX Item "-CAfile file, -CApath pathname"
984263bc
MD
256file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify
257the signature on the \s-1OCSP\s0 response.
8b0cefbb
JR
258.IP "\fB\-verify_other file\fR" 4
259.IX Item "-verify_other file"
984263bc
MD
260file containing additional certificates to search when attempting to locate
261the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
262certificate from the response: this option can be used to supply the necessary
263certificate in such cases.
8b0cefbb
JR
264.IP "\fB\-trust_other\fR" 4
265.IX Item "-trust_other"
aac4ff6f 266the certificates specified by the \fB\-verify_other\fR option should be explicitly
984263bc
MD
267trusted and no additional checks will be performed on them. This is useful
268when the complete responder certificate chain is not available or trusting a
269root \s-1CA\s0 is not appropriate.
8b0cefbb
JR
270.IP "\fB\-VAfile file\fR" 4
271.IX Item "-VAfile file"
984263bc 272file containing explicitly trusted responder certificates. Equivalent to the
aac4ff6f 273\&\fB\-verify_other\fR and \fB\-trust_other\fR options.
8b0cefbb
JR
274.IP "\fB\-noverify\fR" 4
275.IX Item "-noverify"
984263bc
MD
276don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This
277option will normally only be used for debugging since it disables all verification
278of the responders certificate.
8b0cefbb
JR
279.IP "\fB\-no_intern\fR" 4
280.IX Item "-no_intern"
984263bc
MD
281ignore certificates contained in the \s-1OCSP\s0 response when searching for the
282signers certificate. With this option the signers certificate must be specified
aac4ff6f 283with either the \fB\-verify_other\fR or \fB\-VAfile\fR options.
8b0cefbb
JR
284.IP "\fB\-no_signature_verify\fR" 4
285.IX Item "-no_signature_verify"
984263bc
MD
286don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid
287signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes.
8b0cefbb
JR
288.IP "\fB\-no_cert_verify\fR" 4
289.IX Item "-no_cert_verify"
984263bc
MD
290don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows
291the \s-1OCSP\s0 response to be signed by any certificate it should only be used for
292testing purposes.
8b0cefbb
JR
293.IP "\fB\-no_chain\fR" 4
294.IX Item "-no_chain"
984263bc
MD
295do not use certificates in the response as additional untrusted \s-1CA\s0
296certificates.
8b0cefbb
JR
297.IP "\fB\-no_cert_checks\fR" 4
298.IX Item "-no_cert_checks"
984263bc
MD
299don't perform any additional checks on the \s-1OCSP\s0 response signers certificate.
300That is do not make any checks to see if the signers certificate is authorised
301to provide the necessary status information: as a result this option should
302only be used for testing purposes.
8b0cefbb
JR
303.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4
304.IX Item "-validity_period nsec, -status_age age"
984263bc
MD
305these options specify the range of times, in seconds, which will be tolerated
306in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and
307an optional \fBnotAfter\fR time. The current time should fall between these two values, but
308the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0
309responder and clients clocks may not be precisely synchronised and so such a check
310may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an
311acceptable error range in seconds, the default value is 5 minutes.
312.Sp
313If the \fBnotAfter\fR time is omitted from a response then this means that new status
314information is immediately available. In this case the age of the \fBnotBefore\fR field
315is checked to see it is not older than \fBage\fR seconds old. By default this additional
316check is not performed.
317.SH "OCSP SERVER OPTIONS"
8b0cefbb
JR
318.IX Header "OCSP SERVER OPTIONS"
319.IP "\fB\-index indexfile\fR" 4
320.IX Item "-index indexfile"
321\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation
984263bc
MD
322information.
323.Sp
324If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise
8b0cefbb 325it is in client mode. The request(s) the responder processes can be either specified on
984263bc 326the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the
8b0cefbb 327\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified).
984263bc
MD
328.Sp
329If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be
330present.
8b0cefbb
JR
331.IP "\fB\-CA file\fR" 4
332.IX Item "-CA file"
333\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR.
334.IP "\fB\-rsigner file\fR" 4
335.IX Item "-rsigner file"
984263bc 336The certificate to sign \s-1OCSP\s0 responses with.
8b0cefbb
JR
337.IP "\fB\-rother file\fR" 4
338.IX Item "-rother file"
984263bc 339Additional certificates to include in the \s-1OCSP\s0 response.
8b0cefbb
JR
340.IP "\fB\-resp_no_certs\fR" 4
341.IX Item "-resp_no_certs"
984263bc 342Don't include any certificates in the \s-1OCSP\s0 response.
8b0cefbb
JR
343.IP "\fB\-resp_key_id\fR" 4
344.IX Item "-resp_key_id"
984263bc 345Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name.
8b0cefbb
JR
346.IP "\fB\-rkey file\fR" 4
347.IX Item "-rkey file"
984263bc 348The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the
8b0cefbb
JR
349\&\fBrsigner\fR option is used.
350.IP "\fB\-port portnum\fR" 4
351.IX Item "-port portnum"
984263bc
MD
352Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR
353option.
8b0cefbb
JR
354.IP "\fB\-nrequest number\fR" 4
355.IX Item "-nrequest number"
e257b235 356The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited.
8b0cefbb
JR
357.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4
358.IX Item "-nmin minutes, -ndays days"
984263bc 359Number of minutes or days when fresh revocation information is available: used in the
8b0cefbb 360\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is
984263bc
MD
361omitted meaning fresh revocation information is immediately available.
362.SH "OCSP Response verification."
8b0cefbb
JR
363.IX Header "OCSP Response verification."
364\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560\s0.
984263bc 365.PP
8b0cefbb
JR
366Initially the \s-1OCSP\s0 responder certificate is located and the signature on
367the \s-1OCSP\s0 request checked using the responder certificate's public key.
984263bc 368.PP
8b0cefbb 369Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate
984263bc
MD
370building up a certificate chain in the process. The locations of the trusted
371certificates used to build the chain can be specified by the \fBCAfile\fR
372and \fBCApath\fR options or they will be looked for in the standard OpenSSL
373certificates directory.
374.PP
8b0cefbb 375If the initial verify fails then the \s-1OCSP\s0 verify process halts with an
984263bc
MD
376error.
377.PP
8b0cefbb
JR
378Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0
379responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds.
984263bc 380.PP
8b0cefbb
JR
381Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing
382\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning
383extended key usage is present in the \s-1OCSP\s0 responder certificate then the
384\&\s-1OCSP\s0 verify succeeds.
984263bc 385.PP
8b0cefbb
JR
386Otherwise the root \s-1CA\s0 of the \s-1OCSP\s0 responders \s-1CA\s0 is checked to see if it
387is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 verify succeeds.
984263bc 388.PP
8b0cefbb 389If none of these checks is successful then the \s-1OCSP\s0 verify fails.
984263bc 390.PP
8b0cefbb
JR
391What this effectively means if that if the \s-1OCSP\s0 responder certificate is
392authorised directly by the \s-1CA\s0 it is issuing revocation information about
984263bc
MD
393(and it is correctly configured) then verification will succeed.
394.PP
8b0cefbb 395If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about
984263bc 396multiple CAs and has its own separate certificate chain then its root
8b0cefbb 397\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example:
984263bc
MD
398.PP
399.Vb 1
e257b235 400\& openssl x509 \-in ocspCA.pem \-addtrust OCSPSigning \-out trustedCA.pem
984263bc 401.Ve
8b0cefbb 402.PP
984263bc
MD
403Alternatively the responder certificate itself can be explicitly trusted
404with the \fB\-VAfile\fR option.
405.SH "NOTES"
8b0cefbb 406.IX Header "NOTES"
984263bc 407As noted, most of the verify options are for testing or debugging purposes.
8b0cefbb
JR
408Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global
409\&\s-1VA\s0') \fB\-VAfile\fR options need to be used.
984263bc 410.PP
8b0cefbb
JR
411The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is
412not really usable as a full \s-1OCSP\s0 responder. It contains only a very
413simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0
984263bc
MD
414queries. It also handles requests serially meaning it cannot respond to
415new requests until it has processed the current one. The text index file
416format of revocation is also inefficient for large quantities of revocation
417data.
418.PP
8b0cefbb 419It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0
984263bc
MD
420script using the \fBrespin\fR and \fBrespout\fR options.
421.SH "EXAMPLES"
8b0cefbb
JR
422.IX Header "EXAMPLES"
423Create an \s-1OCSP\s0 request and write it to a file:
984263bc
MD
424.PP
425.Vb 1
e257b235 426\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der
984263bc 427.Ve
8b0cefbb
JR
428.PP
429Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the
984263bc
MD
430response to a file and print it out in text form
431.PP
432.Vb 2
e257b235
PA
433\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e
434\& \-url http://ocsp.myhost.com/ \-resp_text \-respout resp.der
984263bc 435.Ve
8b0cefbb
JR
436.PP
437Read in an \s-1OCSP\s0 response and print out text form:
984263bc
MD
438.PP
439.Vb 1
e257b235 440\& openssl ocsp \-respin resp.der \-text
984263bc 441.Ve
8b0cefbb
JR
442.PP
443\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate
984263bc
MD
444responder certificate. All requests and responses are printed to a file.
445.PP
446.Vb 2
e257b235
PA
447\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
448\& \-text \-out log.txt
984263bc 449.Ve
8b0cefbb 450.PP
984263bc
MD
451As above but exit after processing one request:
452.PP
453.Vb 2
e257b235
PA
454\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
455\& \-nrequest 1
984263bc 456.Ve
8b0cefbb 457.PP
984263bc
MD
458Query status information using internally generated request:
459.PP
460.Vb 2
e257b235
PA
461\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
462\& \-issuer demoCA/cacert.pem \-serial 1
984263bc 463.Ve
8b0cefbb 464.PP
984263bc
MD
465Query status information using request read from a file, write response to a
466second file.
467.PP
468.Vb 2
e257b235
PA
469\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
470\& \-reqin req.der \-respout resp.der
984263bc 471.Ve