OCSPCHECK(8) | System Manager's Manual | OCSPCHECK(8) |
ocspcheck
— check
a certificate for validity against its OCSP responder
ocspcheck |
[-Nv ] [-C
CAfile] [-i
staplefile] [-o
staplefile] file |
The ocspcheck
utility validates a PEM
format certificate against the OCSP responder encoded in the certificate
specified by the file argument. Normally it should be
used for checking server certificates and maintaining saved OCSP responses
to be used for OCSP stapling.
The options are as follows:
-C
CAfile-i
staplefile-N
-o
staplefile-v
The ocspcheck
utility exits 0 if the OCSP
response validates for the certificate in file and all
output is successfully written out. ocspcheck
exits
>0 if an error occurs or the OCSP response fails to validate.
nc(1), tls_config_set_ocsp_staple_file(3), tls_config_set_ocsp_staple_mem(3), httpd(8)
The ocspcheck
utility first appeared in
OpenBSD 6.1.
ocspcheck
was written by
Bob Beck.
While ocspcheck
could possibly be used in
scripts to query responders for server certificates seen on client
connections, this is almost always a bad idea. God kills a kitten every time
you make an OCSP query from the client side of a TLS connection.
ocspcheck
will create the output file if
it does not exist. On failure a newly created output file will not be
removed.
November 29, 2017 | OpenBSD-current |