Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / usr.bin / openssl / man / ocsp.1
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "OCSP 1"
e3261593 127.TH OCSP 1 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133ocsp \- Online Certificate Status Protocol utility
134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBocsp\fR
984263bc
MD
137[\fB\-out file\fR]
138[\fB\-issuer file\fR]
139[\fB\-cert file\fR]
140[\fB\-serial n\fR]
e3cdf75b
JR
141[\fB\-signer file\fR]
142[\fB\-signkey file\fR]
143[\fB\-sign_other file\fR]
144[\fB\-no_certs\fR]
984263bc
MD
145[\fB\-req_text\fR]
146[\fB\-resp_text\fR]
147[\fB\-text\fR]
148[\fB\-reqout file\fR]
149[\fB\-respout file\fR]
150[\fB\-reqin file\fR]
151[\fB\-respin file\fR]
152[\fB\-nonce\fR]
153[\fB\-no_nonce\fR]
8b0cefbb 154[\fB\-url \s-1URL\s0\fR]
984263bc
MD
155[\fB\-host host:n\fR]
156[\fB\-path\fR]
e3cdf75b 157[\fB\-CApath dir\fR]
984263bc
MD
158[\fB\-CAfile file\fR]
159[\fB\-VAfile file\fR]
e3cdf75b
JR
160[\fB\-validity_period n\fR]
161[\fB\-status_age n\fR]
984263bc 162[\fB\-noverify\fR]
e3cdf75b 163[\fB\-verify_other file\fR]
984263bc
MD
164[\fB\-trust_other\fR]
165[\fB\-no_intern\fR]
e3cdf75b 166[\fB\-no_signature_verify\fR]
984263bc
MD
167[\fB\-no_cert_verify\fR]
168[\fB\-no_chain\fR]
169[\fB\-no_cert_checks\fR]
e3cdf75b
JR
170[\fB\-port num\fR]
171[\fB\-index file\fR]
172[\fB\-CA file\fR]
173[\fB\-rsigner file\fR]
174[\fB\-rkey file\fR]
175[\fB\-rother file\fR]
176[\fB\-resp_no_certs\fR]
177[\fB\-nmin n\fR]
178[\fB\-ndays n\fR]
179[\fB\-resp_key_id\fR]
180[\fB\-nrequest n\fR]
01185282 181[\fB\-md5|\-sha1|...\fR]
984263bc 182.SH "DESCRIPTION"
8b0cefbb
JR
183.IX Header "DESCRIPTION"
184The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
185determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560).
984263bc 186.PP
8b0cefbb 187The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used
984263bc 188to print out requests and responses, create requests and send queries
8b0cefbb 189to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
984263bc 190.SH "OCSP CLIENT OPTIONS"
8b0cefbb
JR
191.IX Header "OCSP CLIENT OPTIONS"
192.IP "\fB\-out filename\fR" 4
193.IX Item "-out filename"
984263bc 194specify output filename, default is standard output.
8b0cefbb
JR
195.IP "\fB\-issuer filename\fR" 4
196.IX Item "-issuer filename"
984263bc
MD
197This specifies the current issuer certificate. This option can be used
198multiple times. The certificate specified in \fBfilename\fR must be in
aac4ff6f 199\&\s-1PEM\s0 format. This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options.
8b0cefbb
JR
200.IP "\fB\-cert filename\fR" 4
201.IX Item "-cert filename"
984263bc
MD
202Add the certificate \fBfilename\fR to the request. The issuer certificate
203is taken from the previous \fBissuer\fR option, or an error occurs if no
204issuer certificate is specified.
8b0cefbb
JR
205.IP "\fB\-serial num\fR" 4
206.IX Item "-serial num"
984263bc 207Same as the \fBcert\fR option except the certificate with serial number
8b0cefbb 208\&\fBnum\fR is added to the request. The serial number is interpreted as a
984263bc 209decimal integer unless preceded by \fB0x\fR. Negative integers can also
e3cdf75b 210be specified by preceding the value by a \fB\-\fR sign.
8b0cefbb
JR
211.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4
212.IX Item "-signer filename, -signkey filename"
984263bc
MD
213Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR
214option and the private key specified by the \fBsignkey\fR option. If
215the \fBsignkey\fR option is not present then the private key is read
216from the same file as the certificate. If neither option is specified then
217the \s-1OCSP\s0 request is not signed.
8b0cefbb
JR
218.IP "\fB\-sign_other filename\fR" 4
219.IX Item "-sign_other filename"
e3cdf75b 220Additional certificates to include in the signed request.
8b0cefbb
JR
221.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
222.IX Item "-nonce, -no_nonce"
984263bc
MD
223Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
224Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no
225nonce is added: using the \fBnonce\fR option will force addition of a nonce.
226If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options)
227a nonce is automatically added specifying \fBno_nonce\fR overrides this.
8b0cefbb
JR
228.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
229.IX Item "-req_text, -resp_text, -text"
984263bc 230print out the text form of the \s-1OCSP\s0 request, response or both respectively.
8b0cefbb
JR
231.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4
232.IX Item "-reqout file, -respout file"
984263bc 233write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR.
8b0cefbb
JR
234.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4
235.IX Item "-reqin file, -respin file"
984263bc
MD
236read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored
237if \s-1OCSP\s0 request or response creation is implied by other options (for example
238with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
8b0cefbb
JR
239.IP "\fB\-url responder_url\fR" 4
240.IX Item "-url responder_url"
984263bc 241specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
8b0cefbb
JR
242.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
243.IX Item "-host hostname:port, -path pathname"
984263bc 244if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
8b0cefbb 245\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use
984263bc 246or \*(L"/\*(R" by default.
8b0cefbb
JR
247.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
248.IX Item "-CAfile file, -CApath pathname"
984263bc
MD
249file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify
250the signature on the \s-1OCSP\s0 response.
8b0cefbb
JR
251.IP "\fB\-verify_other file\fR" 4
252.IX Item "-verify_other file"
984263bc
MD
253file containing additional certificates to search when attempting to locate
254the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
255certificate from the response: this option can be used to supply the necessary
256certificate in such cases.
8b0cefbb
JR
257.IP "\fB\-trust_other\fR" 4
258.IX Item "-trust_other"
aac4ff6f 259the certificates specified by the \fB\-verify_other\fR option should be explicitly
984263bc
MD
260trusted and no additional checks will be performed on them. This is useful
261when the complete responder certificate chain is not available or trusting a
262root \s-1CA\s0 is not appropriate.
8b0cefbb
JR
263.IP "\fB\-VAfile file\fR" 4
264.IX Item "-VAfile file"
984263bc 265file containing explicitly trusted responder certificates. Equivalent to the
aac4ff6f 266\&\fB\-verify_other\fR and \fB\-trust_other\fR options.
8b0cefbb
JR
267.IP "\fB\-noverify\fR" 4
268.IX Item "-noverify"
984263bc
MD
269don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This
270option will normally only be used for debugging since it disables all verification
271of the responders certificate.
8b0cefbb
JR
272.IP "\fB\-no_intern\fR" 4
273.IX Item "-no_intern"
984263bc
MD
274ignore certificates contained in the \s-1OCSP\s0 response when searching for the
275signers certificate. With this option the signers certificate must be specified
aac4ff6f 276with either the \fB\-verify_other\fR or \fB\-VAfile\fR options.
8b0cefbb
JR
277.IP "\fB\-no_signature_verify\fR" 4
278.IX Item "-no_signature_verify"
984263bc
MD
279don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid
280signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes.
8b0cefbb
JR
281.IP "\fB\-no_cert_verify\fR" 4
282.IX Item "-no_cert_verify"
984263bc
MD
283don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows
284the \s-1OCSP\s0 response to be signed by any certificate it should only be used for
285testing purposes.
8b0cefbb
JR
286.IP "\fB\-no_chain\fR" 4
287.IX Item "-no_chain"
984263bc
MD
288do not use certificates in the response as additional untrusted \s-1CA\s0
289certificates.
8b0cefbb
JR
290.IP "\fB\-no_cert_checks\fR" 4
291.IX Item "-no_cert_checks"
984263bc
MD
292don't perform any additional checks on the \s-1OCSP\s0 response signers certificate.
293That is do not make any checks to see if the signers certificate is authorised
294to provide the necessary status information: as a result this option should
295only be used for testing purposes.
8b0cefbb
JR
296.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4
297.IX Item "-validity_period nsec, -status_age age"
984263bc
MD
298these options specify the range of times, in seconds, which will be tolerated
299in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and
300an optional \fBnotAfter\fR time. The current time should fall between these two values, but
301the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0
302responder and clients clocks may not be precisely synchronised and so such a check
303may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an
304acceptable error range in seconds, the default value is 5 minutes.
305.Sp
306If the \fBnotAfter\fR time is omitted from a response then this means that new status
307information is immediately available. In this case the age of the \fBnotBefore\fR field
308is checked to see it is not older than \fBage\fR seconds old. By default this additional
309check is not performed.
01185282
PA
310.IP "\fB\-md5|\-sha1|\-sha256|\-ripemod160|...\fR" 4
311.IX Item "-md5|-sha1|-sha256|-ripemod160|..."
312this option sets digest algorithm to use for certificate identification
313in the \s-1OCSP\s0 request. By default \s-1SHA\-1\s0 is used.
984263bc 314.SH "OCSP SERVER OPTIONS"
8b0cefbb
JR
315.IX Header "OCSP SERVER OPTIONS"
316.IP "\fB\-index indexfile\fR" 4
317.IX Item "-index indexfile"
318\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation
984263bc
MD
319information.
320.Sp
321If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise
8b0cefbb 322it is in client mode. The request(s) the responder processes can be either specified on
984263bc 323the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the
8b0cefbb 324\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified).
984263bc
MD
325.Sp
326If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be
327present.
8b0cefbb
JR
328.IP "\fB\-CA file\fR" 4
329.IX Item "-CA file"
330\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR.
331.IP "\fB\-rsigner file\fR" 4
332.IX Item "-rsigner file"
984263bc 333The certificate to sign \s-1OCSP\s0 responses with.
8b0cefbb
JR
334.IP "\fB\-rother file\fR" 4
335.IX Item "-rother file"
984263bc 336Additional certificates to include in the \s-1OCSP\s0 response.
8b0cefbb
JR
337.IP "\fB\-resp_no_certs\fR" 4
338.IX Item "-resp_no_certs"
984263bc 339Don't include any certificates in the \s-1OCSP\s0 response.
8b0cefbb
JR
340.IP "\fB\-resp_key_id\fR" 4
341.IX Item "-resp_key_id"
984263bc 342Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name.
8b0cefbb
JR
343.IP "\fB\-rkey file\fR" 4
344.IX Item "-rkey file"
984263bc 345The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the
8b0cefbb
JR
346\&\fBrsigner\fR option is used.
347.IP "\fB\-port portnum\fR" 4
348.IX Item "-port portnum"
984263bc
MD
349Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR
350option.
8b0cefbb
JR
351.IP "\fB\-nrequest number\fR" 4
352.IX Item "-nrequest number"
e257b235 353The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited.
8b0cefbb
JR
354.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4
355.IX Item "-nmin minutes, -ndays days"
984263bc 356Number of minutes or days when fresh revocation information is available: used in the
8b0cefbb 357\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is
984263bc
MD
358omitted meaning fresh revocation information is immediately available.
359.SH "OCSP Response verification."
8b0cefbb
JR
360.IX Header "OCSP Response verification."
361\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560\s0.
984263bc 362.PP
8b0cefbb
JR
363Initially the \s-1OCSP\s0 responder certificate is located and the signature on
364the \s-1OCSP\s0 request checked using the responder certificate's public key.
984263bc 365.PP
8b0cefbb 366Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate
984263bc
MD
367building up a certificate chain in the process. The locations of the trusted
368certificates used to build the chain can be specified by the \fBCAfile\fR
369and \fBCApath\fR options or they will be looked for in the standard OpenSSL
370certificates directory.
371.PP
8b0cefbb 372If the initial verify fails then the \s-1OCSP\s0 verify process halts with an
984263bc
MD
373error.
374.PP
8b0cefbb
JR
375Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0
376responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds.
984263bc 377.PP
8b0cefbb
JR
378Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing
379\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning
380extended key usage is present in the \s-1OCSP\s0 responder certificate then the
381\&\s-1OCSP\s0 verify succeeds.
984263bc 382.PP
8b0cefbb
JR
383Otherwise the root \s-1CA\s0 of the \s-1OCSP\s0 responders \s-1CA\s0 is checked to see if it
384is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 verify succeeds.
984263bc 385.PP
8b0cefbb 386If none of these checks is successful then the \s-1OCSP\s0 verify fails.
984263bc 387.PP
8b0cefbb
JR
388What this effectively means if that if the \s-1OCSP\s0 responder certificate is
389authorised directly by the \s-1CA\s0 it is issuing revocation information about
984263bc
MD
390(and it is correctly configured) then verification will succeed.
391.PP
8b0cefbb 392If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about
984263bc 393multiple CAs and has its own separate certificate chain then its root
8b0cefbb 394\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example:
984263bc
MD
395.PP
396.Vb 1
e257b235 397\& openssl x509 \-in ocspCA.pem \-addtrust OCSPSigning \-out trustedCA.pem
984263bc 398.Ve
8b0cefbb 399.PP
984263bc
MD
400Alternatively the responder certificate itself can be explicitly trusted
401with the \fB\-VAfile\fR option.
402.SH "NOTES"
8b0cefbb 403.IX Header "NOTES"
984263bc 404As noted, most of the verify options are for testing or debugging purposes.
8b0cefbb
JR
405Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global
406\&\s-1VA\s0') \fB\-VAfile\fR options need to be used.
984263bc 407.PP
8b0cefbb
JR
408The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is
409not really usable as a full \s-1OCSP\s0 responder. It contains only a very
410simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0
984263bc
MD
411queries. It also handles requests serially meaning it cannot respond to
412new requests until it has processed the current one. The text index file
413format of revocation is also inefficient for large quantities of revocation
414data.
415.PP
8b0cefbb 416It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0
984263bc
MD
417script using the \fBrespin\fR and \fBrespout\fR options.
418.SH "EXAMPLES"
8b0cefbb
JR
419.IX Header "EXAMPLES"
420Create an \s-1OCSP\s0 request and write it to a file:
984263bc
MD
421.PP
422.Vb 1
e257b235 423\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der
984263bc 424.Ve
8b0cefbb
JR
425.PP
426Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the
984263bc
MD
427response to a file and print it out in text form
428.PP
429.Vb 2
e257b235
PA
430\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e
431\& \-url http://ocsp.myhost.com/ \-resp_text \-respout resp.der
984263bc 432.Ve
8b0cefbb
JR
433.PP
434Read in an \s-1OCSP\s0 response and print out text form:
984263bc
MD
435.PP
436.Vb 1
e257b235 437\& openssl ocsp \-respin resp.der \-text
984263bc 438.Ve
8b0cefbb
JR
439.PP
440\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate
984263bc
MD
441responder certificate. All requests and responses are printed to a file.
442.PP
443.Vb 2
e257b235
PA
444\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
445\& \-text \-out log.txt
984263bc 446.Ve
8b0cefbb 447.PP
984263bc
MD
448As above but exit after processing one request:
449.PP
450.Vb 2
e257b235
PA
451\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
452\& \-nrequest 1
984263bc 453.Ve
8b0cefbb 454.PP
984263bc
MD
455Query status information using internally generated request:
456.PP
457.Vb 2
e257b235
PA
458\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
459\& \-issuer demoCA/cacert.pem \-serial 1
984263bc 460.Ve
8b0cefbb 461.PP
984263bc
MD
462Query status information using request read from a file, write response to a
463second file.
464.PP
465.Vb 2
e257b235
PA
466\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
467\& \-reqin req.der \-respout resp.der
984263bc 468.Ve