check a certificate for validity against its OCSP
utility validates a PEM format
certificate against the OCSP responder encoded in the certificate specified by
argument. Normally it should be used
for checking server certificates and maintaining saved OCSP responses to be
used for OCSP stapling.
The options are as follows:
- Specify a PEM format root certificate bundle to use for the
validation of requests. By default no certificates are used beyond those
in the certificate chain provided by the
- Specify an input filename from which a DER-encoded OCSP
response will be read instead of fetching it from the OCSP server. A
filename of ‘-’ will read the response from standard
- Do not use a nonce value in the OCSP request, or validate
that the nonce was returned in the OCSP response. By default a nonce is
always used and validated when retrieving a response from an OCSP server.
The use of this flag is a security risk as it will allow OCSP responses to
be replayed. It should not be used unless the OCSP server does not support
the use of OCSP nonces.
- Specify an output filename where the DER encoded response
from the OCSP server will be written, if the OCSP response validates. A
filename of ‘-’ will write the response to standard output.
By default the response is not saved.
- Increase verbosity. This flag may be specified multiple
times to get more verbose output. The default behaviour is to be silent
unless something goes wrong.
utility exits 0 if the OCSP response
validates for the certificate in file
output is successfully written out. ocspcheck
exits >0 if an error occurs or the OCSP response fails to validate.
utility first appeared in
was written by
could possibly be used in scripts
to query responders for server certificates seen on client connections, this
is almost always a bad idea. God kills a kitten every time you make an OCSP
query from the client side of a TLS connection.
will create the output file if it does
not exist. On failure a newly created output file will not be removed.