ocsp.1s

openssl ocsp [options]

-url
    Specifies the URL of the OCSP responder to which the request should be sent.

-cert
    The path to the certificate file whose status is to be checked.

-issuer
    The path to the issuer certificate file of the certificate being checked.

-reqout
    Writes the raw OCSP request to the specified file.

-respout
    Writes the raw OCSP response to the specified file.

-text
    Displays the OCSP request and response in a human-readable text format.

-CAfile
    Specifies a file containing trusted CA certificates for verifying the OCSP responder's signature.

-CApath

The ocsp command, part of the OpenSSL toolkit, implements a simple OCSP (Online Certificate Status Protocol) client and a basic test responder. As a client, it's used to query OCSP responders to determine the revocation status of X.509 certificates in real-time, providing an alternative to relying solely on Certificate Revocation Lists (CRLs). It sends an OCSP request for a specific certificate and parses the response, indicating whether the certificate is good, revoked, or unknown.

In its responder mode, ocsp can act as a lightweight, non-production OCSP server. This mode is primarily intended for testing, development, and debugging purposes, allowing users to simulate an OCSP responder and test their client implementations or certificate revocation processes. The command supports various options for specifying certificates, responders, output formats, and verification parameters, making it a versatile tool for certificate lifecycle management and security testing.

The ocsp command's responder mode is designed for testing and development, not for production use. A full-fledged OCSP responder requires robust handling of high traffic, secure key management, and detailed logging, which are beyond the scope of this utility.

Proper certificate chain validation is crucial for accurate OCSP response verification; ensure that the -CAfile or -CApath options point to a complete set of trusted certificates.

Without proper network connectivity to the OCSP responder, the client mode will fail to retrieve status information. Firewalls or proxy settings might need configuration to allow OCSP traffic.

OCSP allows a client to determine the revocation status of a certificate without requiring the client to download and parse potentially large CRLs. Instead, the client sends a specific query to an OCSP responder, which returns a signed response indicating if the certificate is 'good', 'revoked', or 'unknown'. This real-time lookup is especially beneficial for time-sensitive applications or when network bandwidth is limited.

The ocsp command operates in two primary modes: client and responder.

In client mode (default), it constructs and sends an OCSP request for one or more certificates to a specified OCSP responder URL. It then receives, parses, and verifies the responder's signed response, displaying the revocation status.

In responder mode, the command simulates an OCSP server. It listens on a specified port for incoming OCSP requests, looks up the status of the requested certificates in a local certificate database (e.g., an OpenSSL 'index.txt' file), signs the appropriate response, and sends it back to the client. This mode is invaluable for developing and testing OCSP-aware applications or for understanding OCSP protocol interactions.

The Online Certificate Status Protocol (OCSP) was defined in RFC 2560 in 1999 as a real-time alternative to Certificate Revocation Lists (CRLs) for checking certificate revocation status. The ocsp command has been an integral part of the OpenSSL toolkit for many years, evolving alongside the OpenSSL library's continuous development. It provides a command-line interface to interact with OCSP, making it a widely used tool for cryptographic operations and security testing within the Linux ecosystem.

openssl(1), x509(1ssl), crl(1ssl), s_client(1ssl), req(1ssl)