=head1 SYNOPSIS
+=head2 OCSP Client
+
B<openssl> B<ocsp>
[B<-help>]
[B<-out> I<file>]
[B<-signer> I<file>]
[B<-signkey> I<file>]
[B<-sign_other> I<file>]
-[B<-no_certs>]
+[B<-nonce>]
+[B<-no_nonce>]
[B<-req_text>]
[B<-resp_text>]
[B<-text>]
+[B<-no_certs>]
[B<-reqout> I<file>]
[B<-respout> I<file>]
[B<-reqin> I<file>]
[B<-respin> I<file>]
-[B<-nonce>]
-[B<-no_nonce>]
[B<-url> I<URL>]
[B<-host> I<host>:I<port>]
-[B<-multi> I<process-count>]
[B<-header>]
[B<-timeout> I<seconds>]
[B<-path>]
[B<-no_explicit>]
[B<-port> I<num>]
[B<-ignore_err>]
+
+=head2 OCSP Server
+
+B<openssl> B<ocsp>
[B<-index> I<file>]
[B<-CA> I<file>]
[B<-rsigner> I<file>]
[B<-ndays> I<n>]
[B<-resp_key_id>]
[B<-nrequest> I<n>]
+[B<-multi> I<process-count>]
[B<-rcid> I<digest>]
[B<-I<digest>>]
{- $OpenSSL::safe::opt_trust_synopsis -}
This time is measured from the time the responder accepts the connection until
the complete request is received.
-=item B<-multi> I<process-count>
-
-Run the specified number of OCSP responder child processes, with the parent
-process respawning child processes as needed.
-Child processes will detect changes in the CA index file and automatically
-reload it.
-When running as a responder B<-timeout> option is recommended to limit the time
-each child is willing to wait for the client's OCSP response.
-This option is available on POSIX systems (that support the fork() and other
-required unix system-calls).
-
=item B<-verify_other> I<file>
File containing additional certificates to search when attempting to locate
The certificate to sign OCSP responses with.
-=item B<-rother> I<file>
-
-Additional certificates to include in the OCSP response.
-
-=item B<-resp_no_certs>
-
-Don't include any certificates in the OCSP response.
-
-=item B<-resp_key_id>
-
-Identify the signer certificate using the key ID, default is to use the
-subject name.
-
=item B<-rkey> I<file>
The private key to sign OCSP responses with: if not present the file
The private key password source. For more information about the format of I<arg>
see L<openssl(1)/Pass Phrase Options>.
+=item B<-rother> I<file>
+
+Additional certificates to include in the OCSP response.
+
=item B<-rsigopt> I<nm>:I<v>
Pass options to the signature algorithm when signing OCSP responses.
Corrupt the response signature before writing it; this can be useful
for testing.
+=item B<-resp_no_certs>
+
+Don't include any certificates in the OCSP response.
+
+=item B<-resp_key_id>
+
+Identify the signer certificate using the key ID, default is to use the
+subject name.
+
=item B<-port> I<portnum>
Port to listen for OCSP requests on. The port may also be specified
The OCSP server will exit after receiving I<number> requests, default unlimited.
+=item B<-multi> I<process-count>
+
+Run the specified number of OCSP responder child processes, with the parent
+process respawning child processes as needed.
+Child processes will detect changes in the CA index file and automatically
+reload it.
+When running as a responder B<-timeout> option is recommended to limit the time
+each child is willing to wait for the client's OCSP response.
+This option is available on POSIX systems (that support the fork() and other
+required unix system-calls).
+
+
=item B<-nmin> I<minutes>, B<-ndays> I<days>
Number of minutes or days when fresh revocation information is available: