check a certificate for validity against its OCSP
utility validates a PEM format certificate
against the OCSP responder encoded in the certificate specified by the
argument. Normally it should be used for checking
server certificates and maintaining saved OCSP responses to be used for OCSP
The options are as follows:
- Specify a PEM format root certificate bundle to use for the validation of
requests. By default no certificates are used beyond those in the
certificate chain provided by the file
- Specify an input filename from which a DER-encoded OCSP response will be
read instead of fetching it from the OCSP server. A filename of
‘-’ will read the response from standard input.
- Do not use a nonce value in the OCSP request, or validate that the nonce
was returned in the OCSP response. By default a nonce is always used and
validated when retrieving a response from an OCSP server. The use of this
flag is a security risk as it will allow OCSP responses to be replayed. It
should not be used unless the OCSP server does not support the use of OCSP
- Specify an output filename where the DER encoded response from the OCSP
server will be written, if the OCSP response validates. A filename of
‘-’ will write the response to standard output. By default
the response is not saved.
- Increase verbosity. This flag may be specified multiple times to get more
verbose output. The default behaviour is to be silent unless something
utility exits 0 if the OCSP response
validates for the certificate in file
and all output is
successfully written out.
exits >0 if an
error occurs or the OCSP response fails to validate.
utility first appeared in
was written by Bob
could possibly be used in scripts to
query responders for server certificates seen on client connections, this is
almost always a bad idea. God kills a kitten every time you make an OCSP query
from the client side of a TLS connection.
will create the output file if it does not
exist. On failure a newly created output file will not be removed.