1ocsptool(1)                      User Commands                     ocsptool(1)
2
3
4

NAME

6       ocsptool - GnuTLS OCSP tool
7

SYNOPSIS

9       ocsptool [-flags] [-flag [value]] [--option-name[[=| ]value]]
10
11       All arguments must be options.
12

DESCRIPTION

14       On verification
15       Responses  are  typically  signed/issued  by designated certificates or
16       certificate authorities and thus this tool requires on verification the
17       certificate of the issuer or the full certificate chain in order to de‐
18       termine the appropriate signing authority. The specified certificate of
19       the issuer is assumed trusted.
20
21
22

OPTIONS

24       -d num, --debug=num
25              Enable  debugging.   This  option takes an integer number as its
26              argument.  The value of num is constrained to being:
27                  in the range 0 through 9999
28
29              Specifies the debug level.
30
31       -V, --verbose
32              More verbose output.
33
34
35       --infile=file
36              Input file.
37
38
39       --outfile=str
40              Output file.
41
42
43       --ask=server name|url
44              Ask an OCSP/HTTP server on a certificate validity.
45
46              Connects to the specified HTTP OCSP server and queries on the
47              validity of the loaded certificate.  Its argument can be a URL
48              or a plain server name. It can be combined with --load-chain,
49              where it checks all certificates in the provided chain, or with
50              --load-cert and --load-issuer options. The latter checks the
51              provided certificate against its specified issuer certificate.
52
53       -e, --verify-response
54              Verify response.
55
56              Verifies the provided OCSP response against the system trust an‐
57              chors (unless --load-trust is provided). It requires the
58              --load-signer or --load-chain options to obtain the signer of
59              the OCSP response.
60
61       -i, --request-info
62              Print information on a OCSP request.
63
64              Display detailed information on the provided OCSP request.
65
66       -j, --response-info
67              Print information on a OCSP response.
68
69              Display detailed information on the provided OCSP response.
70
71       -q, --generate-request
72              Generates an OCSP request.
73
74
75       --nonce, --no-nonce
76              Use (or not) a nonce to OCSP request.  The no-nonce form will
77              disable the option.
78
79
80       --load-chain=file
81              Reads a set of certificates forming a chain from file.
82
83
84       --load-issuer=file
85              Reads issuer's certificate from file.
86
87
88       --load-cert=file
89              Reads the certificate to check from file.
90
91
92       --load-trust=file
93              Read OCSP trust anchors from file.  This option must not appear
94              in combination with any of the following options: load-signer.
95
96              When verifying an OCSP response read the trust anchors from the
97              provided file. When this is not provided, the system's trust an‐
98              chors will be used.
99
100       --load-signer=file
101              Reads the OCSP response signer from file.  This option must not
102              appear in combination with any of the following options: load-
103              trust.
104
105
106       --inder, --no-inder
107              Use DER format for input certificates and private keys.  The
108              no-inder form will disable the option.
109
110
111       --outder
112              Use DER format for output of responses (this is the default).
113
114              The output will be in DER encoded format. Unlike other GnuTLS
115              tools, this is the default for this tool
116
117       --outpem
118              Use PEM format for output of responses.
119
120              The output will be in PEM format.
121
122       -Q file, --load-request=file
123              Reads the DER encoded OCSP request from file.
124
125
126       -S file, --load-response=file
127              Reads the DER encoded OCSP response from file.
128
129
130       --ignore-errors
131              Ignore any verification errors.
132
133
134       --verify-allow-broken
135              Allow broken algorithms, such as MD5 for verification.
136
137              This can be combined with --verify-response.
138
139       -v arg, --version=arg
140              Output version of program and exit.  The default mode is `v', a
141              simple version.  The `c' mode will print copyright information
142              and `n' will print the full copyright notice.
143
144       -h, --help
145              Display usage information and exit.
146
147       -!, --more-help
148              Pass the extended usage information through a pager.
149
150
151

EXAMPLES

153       Print information about an OCSP request
154
155       To parse an OCSP request and print information about the content, the
156       -i or --request-info parameter may be used as follows.  The -Q parame‐
157       ter specify the name of the file containing the OCSP request, and it
158       should contain the OCSP request in binary DER format.
159
160           $ ocsptool -i -Q ocsp-request.der
161
162       The input file may also be sent to standard input like this:
163
164           $ cat ocsp-request.der | ocsptool --request-info
165
166       Print information about an OCSP response
167
168       Similar to parsing OCSP requests, OCSP responses can be parsed using
169       the -j or --response-info as follows.
170
171           $ ocsptool -j -Q ocsp-response.der
172           $ cat ocsp-response.der | ocsptool --response-info
173
174       Generate an OCSP request
175
176       The -q or --generate-request parameters are used to generate an OCSP
177       request.  By default the OCSP request is written to standard output in
178       binary DER format, but can be stored in a file using --outfile.  To
179       generate an OCSP request the issuer of the certificate to check needs
180       to be specified with --load-issuer and the certificate to check with
181       --load-cert.  By default PEM format is used for these files, although
182       --inder can be used to specify that the input files are in DER format.
183
184           $ ocsptool -q --load-issuer issuer.pem --load-cert client.pem            --outfile ocsp-request.der
185
186       When generating OCSP requests, the tool will add an OCSP extension con‐
187       taining a nonce.  This behaviour can be disabled by specifying
188       --no-nonce.
189
190       Verify signature in OCSP response
191
192       To verify the signature in an OCSP response the -e or --verify-response
193       parameter is used.  The tool will read an OCSP response in DER format
194       from standard input, or from the file specified by --load-response.
195       The OCSP response is verified against a set of trust anchors, which are
196       specified using --load-trust.  The trust anchors are concatenated cer‐
197       tificates in PEM format.  The certificate that signed the OCSP response
198       needs to be in the set of trust anchors, or the issuer of the signer
199       certificate needs to be in the set of trust anchors and the OCSP Ex‐
200       tended Key Usage bit has to be asserted in the signer certificate.
201
202           $ ocsptool -e --load-trust issuer.pem            --load-response ocsp-response.der
203
204       The tool will print status of verification.
205
206       Verify signature in OCSP response against given certificate
207
208       It is possible to override the normal trust logic if you know that a
209       certain certificate is supposed to have signed the OCSP response, and
210       you want to use it to check the signature.  This is achieved using
211       --load-signer instead of --load-trust.  This will load one certificate
212       and it will be used to verify the signature in the OCSP response.  It
213       will not check the Extended Key Usage bit.
214
215           $ ocsptool -e --load-signer ocsp-signer.pem            --load-response ocsp-response.der
216
217       This approach is normally only relevant in two situations.  The first
218       is when the OCSP response does not contain a copy of the signer cer‐
219       tificate, so the --load-trust code would fail.  The second is if you
220       want to avoid the indirect mode where the OCSP response signer certifi‐
221       cate is signed by a trust anchor.
222
223       Real-world example
224
225       Here is an example of how to generate an OCSP request for a certificate
226       and to verify the response.  For illustration we'll use the blog.josef‐
227       sson.org host, which (as of writing) uses a certificate from CACert.
228       First we'll use gnutls-cli to get a copy of the server certificate
229       chain.  The server is not required to send this information, but this
230       particular one is configured to do so.
231
232           $ echo | gnutls-cli -p 443 blog.josefsson.org --save-cert chain.pem
233
234       The saved certificates normally contain a pointer to where the OCSP re‐
235       sponder is located, in the Authority Information Access Information ex‐
236       tension.  For example, from certtool -i < chain.pem there is this in‐
237       formation:
238
239                     Authority Information Access Information (not critical):
240                          Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
241                          Access Location URI: https://ocsp.CAcert.org/
242
243       This means that ocsptool can discover the servers to contact over HTTP.
244       We can now request information on the chain certificates.
245
246           $ ocsptool --ask --load-chain chain.pem
247
248       The request is sent via HTTP to the OCSP server address found in the
249       certificates. It is possible to override the address of the OCSP server
250       as well as ask information on a particular certificate using
251       --load-cert and --load-issuer.
252
253           $ ocsptool --ask https://ocsp.CAcert.org/ --load-chain chain.pem
254

EXIT STATUS

256       One of the following exit values will be returned:
257
258       0  (EXIT_SUCCESS)
259              Successful program execution.
260
261       1  (EXIT_FAILURE)
262              The operation failed or the command syntax was not valid.
263

SEE ALSO

265       certtool (1)
266

AUTHORS

269       Copyright (C) 2020-2021 Free Software Foundation, and others all rights
270       reserved.  This program is released under the terms of the GNU General
271       Public License, version 3 or later
272

BUGS

274       Please send bug reports to: bugs@gnutls.org
275
276
277
2783.7.6                             27 May 2022                      ocsptool(1)
Impressum