OLD | NEW |
1 =pod | 1 =pod |
2 | 2 |
3 =head1 NAME | 3 =head1 NAME |
4 | 4 |
5 ocsp - Online Certificate Status Protocol utility | 5 ocsp - Online Certificate Status Protocol utility |
6 | 6 |
7 =head1 SYNOPSIS | 7 =head1 SYNOPSIS |
8 | 8 |
9 B<openssl> B<ocsp> | 9 B<openssl> B<ocsp> |
10 [B<-out file>] | 10 [B<-out file>] |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
44 [B<-index file>] | 44 [B<-index file>] |
45 [B<-CA file>] | 45 [B<-CA file>] |
46 [B<-rsigner file>] | 46 [B<-rsigner file>] |
47 [B<-rkey file>] | 47 [B<-rkey file>] |
48 [B<-rother file>] | 48 [B<-rother file>] |
49 [B<-resp_no_certs>] | 49 [B<-resp_no_certs>] |
50 [B<-nmin n>] | 50 [B<-nmin n>] |
51 [B<-ndays n>] | 51 [B<-ndays n>] |
52 [B<-resp_key_id>] | 52 [B<-resp_key_id>] |
53 [B<-nrequest n>] | 53 [B<-nrequest n>] |
| 54 [B<-md5|-sha1|...>] |
54 | 55 |
55 =head1 DESCRIPTION | 56 =head1 DESCRIPTION |
56 | 57 |
57 The Online Certificate Status Protocol (OCSP) enables applications to | 58 The Online Certificate Status Protocol (OCSP) enables applications to |
58 determine the (revocation) state of an identified certificate (RFC 2560). | 59 determine the (revocation) state of an identified certificate (RFC 2560). |
59 | 60 |
60 The B<ocsp> command performs many common OCSP tasks. It can be used | 61 The B<ocsp> command performs many common OCSP tasks. It can be used |
61 to print out requests and responses, create requests and send queries | 62 to print out requests and responses, create requests and send queries |
62 to an OCSP responder and behave like a mini OCSP server itself. | 63 to an OCSP responder and behave like a mini OCSP server itself. |
63 | 64 |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
199 the interval between the two times may be only a few seconds. In practice the OC
SP | 200 the interval between the two times may be only a few seconds. In practice the OC
SP |
200 responder and clients clocks may not be precisely synchronised and so such a che
ck | 201 responder and clients clocks may not be precisely synchronised and so such a che
ck |
201 may fail. To avoid this the B<-validity_period> option can be used to specify an | 202 may fail. To avoid this the B<-validity_period> option can be used to specify an |
202 acceptable error range in seconds, the default value is 5 minutes. | 203 acceptable error range in seconds, the default value is 5 minutes. |
203 | 204 |
204 If the B<notAfter> time is omitted from a response then this means that new stat
us | 205 If the B<notAfter> time is omitted from a response then this means that new stat
us |
205 information is immediately available. In this case the age of the B<notBefore> f
ield | 206 information is immediately available. In this case the age of the B<notBefore> f
ield |
206 is checked to see it is not older than B<age> seconds old. By default this addit
ional | 207 is checked to see it is not older than B<age> seconds old. By default this addit
ional |
207 check is not performed. | 208 check is not performed. |
208 | 209 |
| 210 =item B<-md5|-sha1|-sha256|-ripemod160|...> |
| 211 |
| 212 this option sets digest algorithm to use for certificate identification |
| 213 in the OCSP request. By default SHA-1 is used. |
| 214 |
209 =back | 215 =back |
210 | 216 |
211 =head1 OCSP SERVER OPTIONS | 217 =head1 OCSP SERVER OPTIONS |
212 | 218 |
213 =over 4 | 219 =over 4 |
214 | 220 |
215 =item B<-index indexfile> | 221 =item B<-index indexfile> |
216 | 222 |
217 B<indexfile> is a text index file in B<ca> format containing certificate revocat
ion | 223 B<indexfile> is a text index file in B<ca> format containing certificate revocat
ion |
218 information. | 224 information. |
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
356 Query status information using internally generated request: | 362 Query status information using internally generated request: |
357 | 363 |
358 openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | 364 openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem |
359 -issuer demoCA/cacert.pem -serial 1 | 365 -issuer demoCA/cacert.pem -serial 1 |
360 | 366 |
361 Query status information using request read from a file, write response to a | 367 Query status information using request read from a file, write response to a |
362 second file. | 368 second file. |
363 | 369 |
364 openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem | 370 openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem |
365 -reqin req.der -respout resp.der | 371 -reqin req.der -respout resp.der |
OLD | NEW |