OCSP(1) OpenSSL OCSP(1)
NAME
ocsp - Online
Certificate Status Protocol utility
# 注释 :oscp 是在线证书状态协议(Online Certificate Status
Protocol)工具
SYNOPSIS
openssl ocsp [-out
file] [-issuer file] [-cert file] [-serial n] [-req_text] [-resp_text] [-text]
[-reqout file] [-respout file]
[-reqin file] [-respin
file] [-nonce] [-no_nonce] [-url responder_url] [-host host:n] [-path] [-CApath
file]
[-CAfile file] [-VAfile file] [-verify_certs file]
[-noverify] [-trust_other] [-no_intern] [-no_sig_verify]
[-no_cert_verify] [-no_chain] [-no_cert_checks]
[-validity_period nsec] [-status_age nsec]
DESCRIPTION
WARNING: this
documentation is preliminary and subject to change.
The Online Certificate Status Protocol (OCSP) enables applications
to
determine the (revocation) state of an identified certificate
(RFC
2560).
# 注释 :OSCP 允许应用程序判断一个证书的状态
The ocsp command performs many common OCSP tasks. It can be used
to
print out requests and responses, create requests and send queries
to
an OCSP responder and behave like a mini OCSP server itself.
# 注释 ;oscp 命令完成了很多 OSCP
的任务。它可用于打印请求和响应、
# 建立请求、发送请求到、接收响应,模拟一个小型 OSCP 服务器
OCSP CLIENT OPTIONS
-out filename
specify output filename,
default is standard output.
-issuer filename
This specifies the current
issuer certificate. This option can be
used multiple times. The
certificate specified in filename must be
in PEM format.
# 注释 :-issuer 是的证书的签发者的证书,也就是 CA 的证书 cacert.pem
# 证书必须是 PEM 格式的(base64 编码)
-cert filename
Add the certificate filename
to the request. The issuer certifi-
cate is taken from the previous
issuer option, or an error occurs
if no issuer certificate is
specified.
# 注释 :-cert 指定要查询的证书。
-serial num
Same as the cert option except
the certificate with serial number
num is added to the request. The
serial number is interpreted as a
decimal integer unless preceded by 0x.
Negative integers can also
be specified by preceding the value by a -
sign.
# 注释 :-serial 指定查询序列号
-signer filename, -signkey filename
Sign the
OCSP request using the certificate specified in the
signer option and the
private key specified by the signkey option.
If the signkey option is not
present then the private key is read
from the same file as the
certificate. If neither option is speci-
fied then the OCSP request is
not signed.
# 注释 :-signkey 对 OSCP 请求使用指定的 private key
进行签名,
-nonce, -no_nonce
Add an OCSP nonce
extension to a request or disable OCSP nonce
addition. Normally if an
OCSP request is input using the respin
option no nonce is added: using
the nonce option will force addi-
tion of a nonce. If an OCSP request is
being created (using cert
and serial options) a nonce is automatically
added specifying
no_nonce overrides this.
# 注释 :-nonce 怎讲一个 OSCP nonce 扩展、-no_nonce 禁止 OSCP
nonce
-req_text, -resp_text, -text
print out the
text form of the OCSP request, response or both
respectively.
# 注释 :-text 打印 OSCP 请求的信息(文本格式)
-reqout file, -respout file
write out the
DER encoded certificate request or response to file.
# 注释 :-reqout 把 DER 编码的请求输/响应出到指定文件
-reqin file, -respin file
read OCSP request
or response file from file. These option are
ignored if OCSP request or
response creation is implied by other
options (for example with serial,
cert and host options).
# 注释 :-reqin 读取一个请求文件
-url responder_url
specify the responder
URL. Both HTTP and HTTPS (SSL/TLS) URLs can
be specified.
# 注释 :-url 指定响应者的 URL ,可以是 HTTP 或者 HTTPS
URL
-host hostname:port, -path pathname
if the
host option is present then the OCSP request is sent to the
host hostname
on port port. path specifies the HTTP path name to
use or "/" by
default.
# 注释 :-host 指定 OSCP 服务器的地址和端口
-CAfile file, -CApath pathname
file or
pathname containing trusted CA certificates. These are
used to verify the
signature on the OCSP response.
# 注释 :-CAfile 指定 CA 证书链文件
-verify_certs file
file containing
additional certificates to search when attempting
to locate the OCSP
response signing certificate. Some responders
omit the actual signer’s
certificate from the response: this
option can be used to supply the
necessary certificate in such
cases.
# 注释 :-verify_certs
-trust_other
the certificates specified by
the -verify_certs option should be
explicitly trusted and no additional
checks will be performed on
them. This is useful when the complete
responder certificate chain
is not available or trusting a root CA is not
appropriate.
-VAfile file
file containing explicitly
trusted responder certificates. Equiva-
lent to the -verify_certs and
-trust_other options.
-noverify
don’t attempt to verify the OCSP
response signature or the nonce
values. This option will normally only be
used for debugging since
it disables all verification of the responders
certificate.
-no_intern
ignore certificates contained in
the OCSP response when searching
for the signers certificate. With this
option the signers certifi-
cate must be specified with either the
-verify_certs or -VAfile
options.
-no_sig_verify
don’t check the signature on
the OCSP response. Since this option
tolerates invalid signatures on OCSP
responses it will normally
only be used for testing purposes.
-no_cert_verify
don’t verify the OCSP
response signers certificate at all. Since
this option allows the OCSP
response to be signed by any certifi-
cate it should only be used for
testing purposes.
-no_chain
do not use certificates in the
response as additional untrusted CA
certificates.
-no_cert_checks
don’t perform any additional
checks on the OCSP response signers
certificate. That is do not make any
checks to see if the signers
certificate is authorised to provide the
necessary status informa-
tion: as a result this option should only be
used for testing pur-
poses.
-validity_period nsec, -status_age age
these
options specify the range of times, in seconds, which will
be tolerated
in an OCSP response. Each certificate status response
includes a
notBefore time and an optional notAfter time. The cur-
rent time should
fall between these two values, but the interval
between the two times may
be only a few seconds. In practice the
OCSP responder and clients clocks
may not be precisely synchro-
nised and so such a check may fail. To
avoid this the -valid-
ity_period option can be used to specify an
acceptable error range
in seconds, the default value is 5 minutes.
If the notAfter time is omitted from a response then this means
that new status information is immediately available. In this case
the
age of the notBefore field is checked to see it is not older
than age
seconds old. By default this additional check is not per-
formed.
OCSP SERVER OPTIONS
-index indexfile
indexfile is a text index file in ca format
containing certificate
revocation information.
# 注释 :-index 用于告诉 OSCP 服务器关于该 CA 的index
文件
If the index option is specified the ocsp utility is in
responder
mode, otherwise it is in client mode. The request(s) the
responder
processes can be either specified on the command line
(using
issuer and serial options), supplied in a file (using the
respin
option) or via external OCSP clients (if port or url is
speci-
fied).
# 注释 :如果 index 选项被指定,则 oscp 以 server 模式运行,否则以
client 运行。
If the index option is present then the CA and rsigner options
must also be present.
# 注释 :如果指定了 -index 则必须指定 -CA 和 -rsigner
-CA file
CA certificate corresponding to the
revocation information in
indexfile.
# 注释 :-CA 用于指定 CA 的证书文件,对应于生成 index
文件的证书
-rsigner file
The certificate to sign OCSP
responses with.
# 注释 :-rsigner 用于指定对 OSCP
响应进行签名的证书
-rother file
Additional certificates to
include in the OCSP response.
# 注释 :要在 OCSP 响应中包含的其他证书
-resp_no_certs
Don’t include any
certificates in the OCSP response.
# 注释 :-resp_no_certs 不在 OCSP
响应中包含任何证书
-resp_key_id
Identify the signer certificate
using the key ID, default is to
use the subject name.
# 注释 :-resp_key_id 表示使用 key ID 来识别 singer
的证书,默认是使用 subject
-rkey file
The private key to sign OCSP
responses with: if not present the
file specified in the rsigner option
is used.
# 注释 :-rkey 用于指定对 OSCP 响应进行签名的私钥。如果不指定,则使用
-rsigner 选项
-port portnum
Port to listen for OCSP
requests on. The port may also be speci-
fied using the url option.
# 注释 :-port 指定 OSCP 服务器在那个端口接受请求
-nrequest number
The OCSP server will exit
after receiving number requests, default
unlimited.
# 注释 :-nrequest
表示在接受多少个请求后就退出,默认是无限制
-nmin minutes, -ndays days
Number of minutes
or days when fresh revocation information is
available: used in the
nextUpdate field. If neither option is
present then the nextUpdate field
is omitted meaning fresh revoca-
tion information is immediately
available.
OCSP Response verification.
OCSP Response follows the rules specified in RFC2560.
Initially the OCSP responder certificate is located and the
signature
on the OCSP request checked using the responder
certificate’s public
key.
Then a normal certificate verify is performed on the OCSP
responder
certificate building up a certificate chain in the process.
The loca-
tions of the trusted certificates used to build the chain
can be spec-
ified by the CAfile and CApath options or they will be
looked for in
the standard OpenSSL certificates directory.
If the initial verify fails then the OCSP verify process halts with
an
error.
Otherwise the issuing CA certificate in the request is compared to
the
OCSP responder certificate: if there is a match then the OCSP
verify
succeeds.
Otherwise the OCSP responder certificate’s CA is checked against
the
issuing CA certificate in the request. If there is a match and
the
OCSPSigning extended key usage is present in the OCSP responder
cer-
tificate then the OCSP verify succeeds.
Otherwise the root CA of the OCSP responders CA is checked to see
if
it is trusted for OCSP signing. If it is the OCSP verify
succeeds.
If none of these checks is successful then the OCSP verify
fails.
What this effectively means if that if the OCSP responder
certificate
is authorised directly by the CA it is issuing revocation
information
about (and it is correctly configured) then verification
will succeed.
If the OCSP responder is a "global responder" which can give
details
about multiple CAs and has its own separate certificate chain
then its
root CA can be trusted for OCSP signing. For example:
openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
Alternatively the responder certificate itself can be
explicitly
trusted with the -VAfile option.
NOTES
As noted, most of the
verify options are for testing or debugging pur-
poses. Normally only
the -CApath, -CAfile and (if the responder is a
’global VA’) -VAfile
options need to be used.
The OCSP server is only useful for test and demonstration purposes:
it
is not really usable as a full OCSP responder. It contains only a
very
simple HTTP request handling and can only handle the POST form of
OCSP
queries. It also handles requests serially meaning it cannot
respond
to new requests until it has processed the current one. The
text index
file format of revocation is also inefficient for large
quantities of
revocation data.
It is possible to run the ocsp application in responder mode via a
CGI
script using the respin and respout options.
EXAMPLES
Create an OCSP
request and write it to a file:
# 注释 :下面的命令
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem
-reqout req.der
Send a query to an OCSP responder with URL ,save the response to
a file and print it out in text form
openssl ocsp -issuer issuer.pem -cert c1.pem -cert
c2.pem -url
-resp_text -respout resp.der
Read in an OCSP response and print out text form:
openssl ocsp -respin resp.der -text
OCSP server on port 8888 using a standard ca configuration, and a
separate responder certificate. All requests and responses are printed to a
file.
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner
rcert.pem -CA demoCA/cacert.pem -text -out log.txt
As above but exit after processing one request:
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner
rcert.pem -CA demoCA/cacert.pem -nrequest 1
Query status information using internally generated request:
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem
-CA demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1
Query status information using request read from a file,
write
response to a second file.
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem
-CA demoCA/cacert.pem -reqin req.der -respout resp.der
0.9.7a 2001-09-07 OCSP(1)
