From 49119647639b0b3ecd4db3d99b653653b41d1d20 Mon Sep 17 00:00:00 2001 From: "Dr. Matthias St. Pierre" Date: Thu, 6 Feb 2020 15:24:07 +0100 Subject: [PATCH] man: openssl-ocsp: separate client and server options Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/11033) --- doc/man1/openssl-ocsp.pod.in | 63 ++++++++++++++++++++---------------- 1 file changed, 35 insertions(+), 28 deletions(-) diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index c04d3659b9..6b4c25cda9 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -7,6 +7,8 @@ openssl-ocsp - Online Certificate Status Protocol utility =head1 SYNOPSIS +=head2 OCSP Client + B B [B<-help>] [B<-out> I] @@ -16,19 +18,18 @@ B B [B<-signer> I] [B<-signkey> I] [B<-sign_other> I] -[B<-no_certs>] +[B<-nonce>] +[B<-no_nonce>] [B<-req_text>] [B<-resp_text>] [B<-text>] +[B<-no_certs>] [B<-reqout> I] [B<-respout> I] [B<-reqin> I] [B<-respin> I] -[B<-nonce>] -[B<-no_nonce>] [B<-url> I] [B<-host> I:I] -[B<-multi> I] [B<-header>] [B<-timeout> I] [B<-path>] @@ -46,6 +47,10 @@ B B [B<-no_explicit>] [B<-port> I] [B<-ignore_err>] + +=head2 OCSP Server + +B B [B<-index> I] [B<-CA> I] [B<-rsigner> I] @@ -60,6 +65,7 @@ B B [B<-ndays> I] [B<-resp_key_id>] [B<-nrequest> I] +[B<-multi> I] [B<-rcid> I] [B<-I>] {- $OpenSSL::safe::opt_trust_synopsis -} @@ -171,17 +177,6 @@ the time that the responder is willing to wait for the client request. This time is measured from the time the responder accepts the connection until the complete request is received. -=item B<-multi> I - -Run the specified number of OCSP responder child processes, with the parent -process respawning child processes as needed. -Child processes will detect changes in the CA index file and automatically -reload it. -When running as a responder B<-timeout> option is recommended to limit the time -each child is willing to wait for the client's OCSP response. -This option is available on POSIX systems (that support the fork() and other -required unix system-calls). - =item B<-verify_other> I File containing additional certificates to search when attempting to locate @@ -303,19 +298,6 @@ file given with B<-index>. The certificate to sign OCSP responses with. -=item B<-rother> I - -Additional certificates to include in the OCSP response. - -=item B<-resp_no_certs> - -Don't include any certificates in the OCSP response. - -=item B<-resp_key_id> - -Identify the signer certificate using the key ID, default is to use the -subject name. - =item B<-rkey> I The private key to sign OCSP responses with: if not present the file @@ -326,6 +308,10 @@ specified in the B<-rsigner> option is used. The private key password source. For more information about the format of I see L. +=item B<-rother> I + +Additional certificates to include in the OCSP response. + =item B<-rsigopt> I:I Pass options to the signature algorithm when signing OCSP responses. @@ -340,6 +326,15 @@ The digest to use when signing the response. Corrupt the response signature before writing it; this can be useful for testing. +=item B<-resp_no_certs> + +Don't include any certificates in the OCSP response. + +=item B<-resp_key_id> + +Identify the signer certificate using the key ID, default is to use the +subject name. + =item B<-port> I Port to listen for OCSP requests on. The port may also be specified @@ -355,6 +350,18 @@ running instead of terminating upon receiving a malformed request. The OCSP server will exit after receiving I requests, default unlimited. +=item B<-multi> I + +Run the specified number of OCSP responder child processes, with the parent +process respawning child processes as needed. +Child processes will detect changes in the CA index file and automatically +reload it. +When running as a responder B<-timeout> option is recommended to limit the time +each child is willing to wait for the client's OCSP response. +This option is available on POSIX systems (that support the fork() and other +required unix system-calls). + + =item B<-nmin> I, B<-ndays> I Number of minutes or days when fresh revocation information is available: -- 2.34.1