[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
+[B<-no_check_time>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
+[B<-auth_level num>]
[B<-verify_depth num>]
[B<-verify_email email>]
[B<-verify_hostname hostname>]
to print out requests and responses, create requests and send queries
to an OCSP responder and behave like a mini OCSP server itself.
-=head1 OCSP CLIENT OPTIONS
+=head1 COMMAND OPTIONS
+
+This command operates as either a client or a server.
+The options are described below, divided into those two modes.
+
+=head2 OCSP Client Options
=over 4
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
-B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>,
+B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
-B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
-B<-verify_name>, B<-x509_strict>
+B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
+B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set different certificate verification options.
-See L<B<verify>|verify(1)> manual page for details.
+See L<verify(1)> manual page for details.
=item B<-verify_other file>
=item B<-validity_period nsec>, B<-status_age age>
these options specify the range of times, in seconds, which will be tolerated
-in an OCSP response. Each certificate status response includes a B<notBefore> time and
-an optional B<notAfter> time. The current time should fall between these two values, but
-the interval between the two times may be only a few seconds. In practice the OCSP
-responder and clients clocks may not be precisely synchronised and so such a check
-may fail. To avoid this the B<-validity_period> option can be used to specify an
-acceptable error range in seconds, the default value is 5 minutes.
-
-If the B<notAfter> time is omitted from a response then this means that new status
-information is immediately available. In this case the age of the B<notBefore> field
-is checked to see it is not older than B<age> seconds old. By default this additional
-check is not performed.
+in an OCSP response. Each certificate status response includes a B<notBefore>
+time and an optional B<notAfter> time. The current time should fall between
+these two values, but the interval between the two times may be only a few
+seconds. In practice the OCSP responder and clients clocks may not be precisely
+synchronised and so such a check may fail. To avoid this the
+B<-validity_period> option can be used to specify an acceptable error range in
+seconds, the default value is 5 minutes.
+
+If the B<notAfter> time is omitted from a response then this means that new
+status information is immediately available. In this case the age of the
+B<notBefore> field is checked to see it is not older than B<age> seconds old.
+By default this additional check is not performed.
=item B<-[digest]>
-this option sets digest algorithm to use for certificate identification
-in the OCSP request.
-Any digest supported by the OpenSSL B<dgst> command can be used.
-The default is SHA-1.
+this option sets digest algorithm to use for certificate identification in the
+OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
+The default is SHA-1. This option may be used multiple times to specify the
+digest used by subsequent certificate identifiers.
=back
-=head1 OCSP SERVER OPTIONS
+=head2 OCSP Server Options
=over 4
=item B<-nrequest number>
-The OCSP server will exit after receiving B<number> requests, default unlimited.
+The OCSP server will exit after receiving B<number> requests, default unlimited.
=item B<-nmin minutes>, B<-ndays days>
Number of minutes or days when fresh revocation information is available: used in the
-B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is
-omitted meaning fresh revocation information is immediately available.
+B<nextUpdate> field. If neither option is present then the B<nextUpdate> field
+is omitted meaning fresh revocation information is immediately available.
=back
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
-Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
+Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
response to a file, print it out in text form, and verify the response:
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
responder certificate. All requests and responses are printed to a file.
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
- -text -out log.txt
+ -text -out log.txt
As above but exit after processing one request:
The -no_alt_chains options was first added to OpenSSL 1.1.0.
+=head1 COPYRIGHT
+
+Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
=cut