1 @node ocsptool Invocation
2 @subsection Invoking ocsptool
5 # -*- buffer-read-only: t -*- vi: set ro:
7 # DO NOT EDIT THIS FILE (invoke-ocsptool.texi)
9 # It has been AutoGen-ed June 26, 2014 at 08:12:14 PM by AutoGen 5.18.2
10 # From the definitions ../src/ocsptool-args.def
11 # and the template file agtexi-cmd.tpl
15 Ocsptool is a program that can parse and print information about
16 OCSP requests/responses, generate requests and verify responses.
19 This section was generated by @strong{AutoGen},
20 using the @code{agtexi-cmd} template and the option descriptions for the @code{ocsptool} program.
21 This software is released under the GNU General Public License, version 3 or later.
24 @anchor{ocsptool usage}
25 @subsubheading ocsptool help/usage (@option{--help})
28 This is the automatically generated usage text for ocsptool.
30 The text printed is the same whether selected with the @code{help} option
31 (@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
32 the usage text by passing it through a pager program.
33 @code{more-help} is disabled on platforms without a working
34 @code{fork(2)} function. The @code{PAGER} environment variable is
35 used to select the program, defaulting to @file{more}. Both will exit
36 with a status code of 0.
40 ocsptool - GnuTLS OCSP tool
41 Usage: ocsptool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
43 -d, --debug=num Enable debugging
44 - it must be in the range:
46 -V, --verbose More verbose output
47 - may appear multiple times
48 --infile=file Input file
50 --outfile=str Output file
51 --ask[=arg] Ask an OCSP/HTTP server on a certificate validity
52 - requires these options:
55 -e, --verify-response Verify response
56 -i, --request-info Print information on a OCSP request
57 -j, --response-info Print information on a OCSP response
58 -q, --generate-request Generate an OCSP request
59 --nonce Use (or not) a nonce to OCSP request
60 - disabled as '--no-nonce'
61 --load-issuer=file Read issuer certificate from file
63 --load-cert=file Read certificate to check from file
65 --load-trust=file Read OCSP trust anchors from file
66 - prohibits the option 'load-signer'
68 --load-signer=file Read OCSP response signer from file
69 - prohibits the option 'load-trust'
71 --inder Use DER format for input certificates and private keys
72 - disabled as '--no-inder'
73 -Q, --load-request=file Read DER encoded OCSP request from file
75 -S, --load-response=file Read DER encoded OCSP response from file
77 -v, --version[=arg] output version information and exit
78 -h, --help display extended usage information and exit
79 -!, --more-help extended usage information passed thru pager
81 Options are specified by doubled hyphens and their name or by a single
82 hyphen and the flag character.
84 Ocsptool is a program that can parse and print information about OCSP
85 requests/responses, generate requests and verify responses.
90 @anchor{ocsptool debug}
91 @subsubheading debug option (-d)
93 This is the ``enable debugging'' option.
94 This option takes a number argument.
95 Specifies the debug level.
97 @subsubheading ask option
99 This is the ``ask an ocsp/http server on a certificate validity'' option.
100 This option takes an optional string argument @file{server name|url}.
103 This option has some usage constraints. It:
106 must appear in combination with the following options:
107 load-cert, load-issuer.
110 Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.
111 @anchor{ocsptool exit status}
112 @subsubheading ocsptool exit status
114 One of the following exit values will be returned:
116 @item 0 (EXIT_SUCCESS)
117 Successful program execution.
118 @item 1 (EXIT_FAILURE)
119 The operation failed or the command syntax was not valid.
121 @anchor{ocsptool See Also}
122 @subsubheading ocsptool See Also
124 @anchor{ocsptool Examples}
125 @subsubheading ocsptool Examples
126 @subsubheading Print information about an OCSP request
128 To parse an OCSP request and print information about the content, the
129 @code{-i} or @code{--request-info} parameter may be used as follows.
130 The @code{-Q} parameter specify the name of the file containing the
131 OCSP request, and it should contain the OCSP request in binary DER
135 $ ocsptool -i -Q ocsp-request.der
138 The input file may also be sent to standard input like this:
141 $ cat ocsp-request.der | ocsptool --request-info
144 @subsubheading Print information about an OCSP response
146 Similar to parsing OCSP requests, OCSP responses can be parsed using
147 the @code{-j} or @code{--response-info} as follows.
150 $ ocsptool -j -Q ocsp-response.der
151 $ cat ocsp-response.der | ocsptool --response-info
154 @subsubheading Generate an OCSP request
156 The @code{-q} or @code{--generate-request} parameters are used to
157 generate an OCSP request. By default the OCSP request is written to
158 standard output in binary DER format, but can be stored in a file
159 using @code{--outfile}. To generate an OCSP request the issuer of the
160 certificate to check needs to be specified with @code{--load-issuer}
161 and the certificate to check with @code{--load-cert}. By default PEM
162 format is used for these files, although @code{--inder} can be used to
163 specify that the input files are in DER format.
166 $ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \
167 --outfile ocsp-request.der
170 When generating OCSP requests, the tool will add an OCSP extension
171 containing a nonce. This behaviour can be disabled by specifying
174 @subsubheading Verify signature in OCSP response
176 To verify the signature in an OCSP response the @code{-e} or
177 @code{--verify-response} parameter is used. The tool will read an
178 OCSP response in DER format from standard input, or from the file
179 specified by @code{--load-response}. The OCSP response is verified
180 against a set of trust anchors, which are specified using
181 @code{--load-trust}. The trust anchors are concatenated certificates
182 in PEM format. The certificate that signed the OCSP response needs to
183 be in the set of trust anchors, or the issuer of the signer
184 certificate needs to be in the set of trust anchors and the OCSP
185 Extended Key Usage bit has to be asserted in the signer certificate.
188 $ ocsptool -e --load-trust issuer.pem \
189 --load-response ocsp-response.der
192 The tool will print status of verification.
194 @subsubheading Verify signature in OCSP response against given certificate
196 It is possible to override the normal trust logic if you know that a
197 certain certificate is supposed to have signed the OCSP response, and
198 you want to use it to check the signature. This is achieved using
199 @code{--load-signer} instead of @code{--load-trust}. This will load
200 one certificate and it will be used to verify the signature in the
201 OCSP response. It will not check the Extended Key Usage bit.
204 $ ocsptool -e --load-signer ocsp-signer.pem \
205 --load-response ocsp-response.der
208 This approach is normally only relevant in two situations. The first
209 is when the OCSP response does not contain a copy of the signer
210 certificate, so the @code{--load-trust} code would fail. The second
211 is if you want to avoid the indirect mode where the OCSP response
212 signer certificate is signed by a trust anchor.
214 @subsubheading Real-world example
216 Here is an example of how to generate an OCSP request for a
217 certificate and to verify the response. For illustration we'll use
218 the @code{blog.josefsson.org} host, which (as of writing) uses a
219 certificate from CACert. First we'll use @code{gnutls-cli} to get a
220 copy of the server certificate chain. The server is not required to
221 send this information, but this particular one is configured to do so.
224 $ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem
227 Use a text editor on @code{chain.pem} to create three files for each
228 separate certificates, called @code{cert.pem} for the first
229 certificate for the domain itself, secondly @code{issuer.pem} for the
230 intermediate certificate and @code{root.pem} for the final root
233 The domain certificate normally contains a pointer to where the OCSP
234 responder is located, in the Authority Information Access Information
235 extension. For example, from @code{certtool -i < cert.pem} there is
239 Authority Information Access Information (not critical):
240 Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
241 Access Location URI: http://ocsp.CAcert.org/
244 This means the CA support OCSP queries over HTTP. We are now ready to
245 create a OCSP request for the certificate.
248 $ ocsptool --ask ocsp.CAcert.org --load-issuer issuer.pem \
249 --load-cert cert.pem --outfile ocsp-response.der
252 The request is sent via HTTP to the OCSP server address specified. If the
253 address is ommited ocsptool will use the address stored in the certificate.