Okay. As near as I can tell (since the documentation is very spotty, and I'm trying to work with the -help output):
On the system that you're running the OCSP responder on, you need to run the following: openssl ocsp -port 443 -CA cacert.pem -index indexfile -rsigner signercert.pem -rkey signerkey.pem indexfile is the file that contains the list of certificates, by serial number, that are revoked. The rsigner certificate MUST be granted OCSP responder permission by certificate extension. Now, as far as as a client? openssl ocsp -url http://ocsp.responder.com/ -CApath local/directory/name -resp_text -req_text [-serial serialnum] [-cert certificate.pem] I put the last two in brackets because you need to have at least one of them. I don't know if OpenSSL is intelligent enough to read the OCSP validation URL from the certificate or not; if it is, and you have the certficate you want to check, then don't put the -url in. You do still need to have a trusted CA (either as a file or a directory) to be able to verify the return. ... and if I'm horribly, horribly wrong, it's partly because I'm looking at the 0.9.9 code, and partly because it's completely undocumented. Anyone have any additional help to offer? -Kyle H On 2/8/06, baliw_na_sa_ssl (sent by Nabble.com) <[EMAIL PROTECTED]> wrote: > Does anyone knows how the ocsp functions in 0.9.7b of openssl works? > Or even the steps in OCSP send request and response. > > Ur help is needed asap...thanks :-) > ________________________________ > View this message in context: OCSP > Sent from the OpenSSL - Dev forum at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
