Hi Sandeep, I ve one question on ur response:
Currently i only need to verify the revocation status of one certificate. so i think i should only use one issuer and one cert like: openssl ocsp -issuer issuer.pem -cert c1.pem -url http://ocsp.myhost.com/ -cafile ca.pem -resp_text -respout resp.der Pls suggest. Regards, Ashish On Thu, Jun 11, 2009 at 8:49 AM, sandeep kiran p <[email protected]>wrote: > Hi Ashish, > Check the man page of oscp. It says -issuer specifies the current issuer > certificate and this option can be used multiple times. And -cert option > specifies a request for which the issuer certificate is taken from previous > issuer option. So in order to verify your chain, I think the command should > be something as > > openssl ocsp -issuer issuer.pem -cert c1.pem -issuer ca.pem -cert issuer.pem > -url http://ocsp.myhost.com/ -cafile ca.pem -resp_text -respout resp.der > > I hope this works. > > Thanks, > Sandeep > > > On Wed, Jun 10, 2009 at 4:19 AM, Ashish Agrawal <[email protected]>wrote: > >> Hi, >> >> I ve a query on the OCSP request command: >> >> openssl ocsp -issuer issuer.pem -cert c1.pem >> -url http://ocsp.myhost.com/ -cafile ca.pem -resp_text -respout resp.der >> >> >> I have a scenario where i have a three certificate chain. >> >> Root Cert - > Intermediate Cert -- >End Cert >> >> so here i am interpreting the fileds as >> >> issuer :Intermediate Cert >> cert : end cert >> >> >> cafile: root cert >> >> i want to know is my understanding correct ? >> >> Regards, >> Ashish >> >> >> >> >> >
