[B<-nonce>]
[B<-no_nonce>]
[B<-url URL>]
-[B<-host host:n>]
+[B<-host host:port>]
+[B<-header>]
[B<-path>]
[B<-CApath dir>]
[B<-CAfile file>]
+[B<-no-CAfile>]
+[B<-no-CApath>]
+[B<-attime timestamp>]
+[B<-check_ss_sig>]
+[B<-crl_check>]
+[B<-crl_check_all>]
+[B<-explicit_policy>]
+[B<-extended_crl>]
+[B<-ignore_critical>]
+[B<-inhibit_any>]
+[B<-inhibit_map>]
+[B<-issuer_checks>]
+[B<-partial_chain>]
+[B<-policy arg>]
+[B<-policy_check>]
+[B<-policy_print>]
+[B<-purpose purpose>]
+[B<-suiteB_128>]
+[B<-suiteB_128_only>]
+[B<-suiteB_192>]
+[B<-trusted_first>]
+[B<-no_alt_chains>]
+[B<-use_deltas>]
+[B<-verify_depth num>]
+[B<-verify_email email>]
+[B<-verify_hostname hostname>]
+[B<-verify_ip ip>]
+[B<-verify_name name>]
+[B<-x509_strict>]
[B<-VAfile file>]
[B<-validity_period n>]
[B<-status_age n>]
[B<-no_cert_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
+[B<-no_explicit>]
[B<-port num>]
[B<-index file>]
[B<-CA file>]
[B<-ndays n>]
[B<-resp_key_id>]
[B<-nrequest n>]
+[B<-md5|-sha1|...>]
=head1 DESCRIPTION
This specifies the current issuer certificate. This option can be used
multiple times. The certificate specified in B<filename> must be in
-PEM format.
+PEM format. This option B<MUST> come before any B<-cert> options.
=item B<-cert filename>
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
or "/" by default.
+=item B<-header name=value>
+
+Adds the header B<name> with the specified B<value> to the OCSP request
+that is sent to the responder.
+This may be repeated.
+
+=item B<-timeout seconds>
+
+connection timeout to the OCSP responder in seconds
+
=item B<-CAfile file>, B<-CApath pathname>
file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
+=item B<-no-CAfile>
+
+Do not load the trusted CA certificates from the default file location
+
+=item B<-no-CApath>
+
+Do not load the trusted CA certificates from the default directory location
+
+=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
+B<explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
+B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>,
+B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
+B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>,
+B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
+B<-verify_ip>, B<-verify_name>, B<-x509_strict>
+
+Set different certificate verification options.
+See L<B<verify>|verify(1)> manual page for details.
+
=item B<-verify_other file>
file containing additional certificates to search when attempting to locate
=item B<-trust_other>
-the certificates specified by the B<-verify_certs> option should be explicitly
+the certificates specified by the B<-verify_other> option should be explicitly
trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root CA is not appropriate.
=item B<-VAfile file>
file containing explicitly trusted responder certificates. Equivalent to the
-B<-verify_certs> and B<-trust_other> options.
+B<-verify_other> and B<-trust_other> options.
=item B<-noverify>
ignore certificates contained in the OCSP response when searching for the
signers certificate. With this option the signers certificate must be specified
-with either the B<-verify_certs> or B<-VAfile> options.
+with either the B<-verify_other> or B<-VAfile> options.
=item B<-no_signature_verify>
do not use certificates in the response as additional untrusted CA
certificates.
+=item B<-no_explicit>
+
+do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+
=item B<-no_cert_checks>
don't perform any additional checks on the OCSP response signers certificate.
is checked to see it is not older than B<age> seconds old. By default this additional
check is not performed.
+=item B<-[digest]>
+
+this option sets digest algorithm to use for certificate identification
+in the OCSP request.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+The default is SHA-1.
+
=back
=head1 OCSP SERVER OPTIONS
extended key usage is present in the OCSP responder certificate then the
OCSP verify succeeds.
-Otherwise the root CA of the OCSP responders CA is checked to see if it
-is trusted for OCSP signing. If it is the OCSP verify succeeds.
+Otherwise, if B<-no_explicit> is B<not> set the root CA of the OCSP responders
+CA is checked to see if it is trusted for OCSP signing. If it is the OCSP
+verify succeeds.
If none of these checks is successful then the OCSP verify fails.
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
-reqin req.der -respout resp.der
+
+=head1 HISTORY
+
+The -no_alt_chains options was first added to OpenSSL 1.1.0.
+
+=cut
projects / openssl.git / blobdiff