diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/ocsp.1')
-rw-r--r-- | secure/usr.bin/openssl/man/ocsp.1 | 451 |
1 files changed, 451 insertions, 0 deletions
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 new file mode 100644 index 0000000..c312ec6 --- /dev/null +++ b/secure/usr.bin/openssl/man/ocsp.1 @@ -0,0 +1,451 @@ +.\" Automatically generated by Pod::Man version 1.15 +.\" Sun Jan 12 18:05:13 2003 +.\" +.\" Standard preamble: +.\" ====================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R + +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used +.\" to do unbreakable dashes and therefore won't be available. \*(C` and +.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> +.tr \(*W-|\(bv\*(Tr +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr +.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and +.\" index entries marked with X<> in POD. Of course, you'll have to process +.\" the output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it +.\" makes way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ====================================================================== +.\" +.IX Title "ocsp 3" +.TH ocsp 3 "0.9.7" "2003-01-12" "OpenSSL" +.UC +.SH "NAME" +ocsp \- Online Certificate Status Protocol utility +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBocsp\fR +[\fB\-out file\fR] +[\fB\-issuer file\fR] +[\fB\-cert file\fR] +[\fB\-serial n\fR] +[\fB\-req_text\fR] +[\fB\-resp_text\fR] +[\fB\-text\fR] +[\fB\-reqout file\fR] +[\fB\-respout file\fR] +[\fB\-reqin file\fR] +[\fB\-respin file\fR] +[\fB\-nonce\fR] +[\fB\-no_nonce\fR] +[\fB\-url responder_url\fR] +[\fB\-host host:n\fR] +[\fB\-path\fR] +[\fB\-CApath file\fR] +[\fB\-CAfile file\fR] +[\fB\-VAfile file\fR] +[\fB\-verify_certs file\fR] +[\fB\-noverify\fR] +[\fB\-trust_other\fR] +[\fB\-no_intern\fR] +[\fB\-no_sig_verify\fR] +[\fB\-no_cert_verify\fR] +[\fB\-no_chain\fR] +[\fB\-no_cert_checks\fR] +[\fB\-validity_period nsec\fR] +[\fB\-status_age nsec\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fB\s-1WARNING:\s0 this documentation is preliminary and subject to change.\fR +.PP +The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to +determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560). +.PP +The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used +to print out requests and responses, create requests and send queries +to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself. +.SH "OCSP CLIENT OPTIONS" +.IX Header "OCSP CLIENT OPTIONS" +.Ip "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specify output filename, default is standard output. +.Ip "\fB\-issuer filename\fR" 4 +.IX Item "-issuer filename" +This specifies the current issuer certificate. This option can be used +multiple times. The certificate specified in \fBfilename\fR must be in +\&\s-1PEM\s0 format. +.Ip "\fB\-cert filename\fR" 4 +.IX Item "-cert filename" +Add the certificate \fBfilename\fR to the request. The issuer certificate +is taken from the previous \fBissuer\fR option, or an error occurs if no +issuer certificate is specified. +.Ip "\fB\-serial num\fR" 4 +.IX Item "-serial num" +Same as the \fBcert\fR option except the certificate with serial number +\&\fBnum\fR is added to the request. The serial number is interpreted as a +decimal integer unless preceded by \fB0x\fR. Negative integers can also +be specified by preceding the value by a \fB-\fR sign. +.Ip "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4 +.IX Item "-signer filename, -signkey filename" +Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR +option and the private key specified by the \fBsignkey\fR option. If +the \fBsignkey\fR option is not present then the private key is read +from the same file as the certificate. If neither option is specified then +the \s-1OCSP\s0 request is not signed. +.Ip "\fB\-nonce\fR, \fB\-no_nonce\fR" 4 +.IX Item "-nonce, -no_nonce" +Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition. +Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no +nonce is added: using the \fBnonce\fR option will force addition of a nonce. +If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options) +a nonce is automatically added specifying \fBno_nonce\fR overrides this. +.Ip "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4 +.IX Item "-req_text, -resp_text, -text" +print out the text form of the \s-1OCSP\s0 request, response or both respectively. +.Ip "\fB\-reqout file\fR, \fB\-respout file\fR" 4 +.IX Item "-reqout file, -respout file" +write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. +.Ip "\fB\-reqin file\fR, \fB\-respin file\fR" 4 +.IX Item "-reqin file, -respin file" +read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored +if \s-1OCSP\s0 request or response creation is implied by other options (for example +with \fBserial\fR, \fBcert\fR and \fBhost\fR options). +.Ip "\fB\-url responder_url\fR" 4 +.IX Item "-url responder_url" +specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified. +.Ip "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4 +.IX Item "-host hostname:port, -path pathname" +if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host +\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use +or \*(L"/\*(R" by default. +.Ip "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4 +.IX Item "-CAfile file, -CApath pathname" +file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify +the signature on the \s-1OCSP\s0 response. +.Ip "\fB\-verify_certs file\fR" 4 +.IX Item "-verify_certs file" +file containing additional certificates to search when attempting to locate +the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's +certificate from the response: this option can be used to supply the necessary +certificate in such cases. +.Ip "\fB\-trust_other\fR" 4 +.IX Item "-trust_other" +the certificates specified by the \fB\-verify_certs\fR option should be explicitly +trusted and no additional checks will be performed on them. This is useful +when the complete responder certificate chain is not available or trusting a +root \s-1CA\s0 is not appropriate. +.Ip "\fB\-VAfile file\fR" 4 +.IX Item "-VAfile file" +file containing explicitly trusted responder certificates. Equivalent to the +\&\fB\-verify_certs\fR and \fB\-trust_other\fR options. +.Ip "\fB\-noverify\fR" 4 +.IX Item "-noverify" +don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This +option will normally only be used for debugging since it disables all verification +of the responders certificate. +.Ip "\fB\-no_intern\fR" 4 +.IX Item "-no_intern" +ignore certificates contained in the \s-1OCSP\s0 response when searching for the +signers certificate. With this option the signers certificate must be specified +with either the \fB\-verify_certs\fR or \fB\-VAfile\fR options. +.Ip "\fB\-no_sig_verify\fR" 4 +.IX Item "-no_sig_verify" +don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid +signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes. +.Ip "\fB\-no_cert_verify\fR" 4 +.IX Item "-no_cert_verify" +don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows +the \s-1OCSP\s0 response to be signed by any certificate it should only be used for +testing purposes. +.Ip "\fB\-no_chain\fR" 4 +.IX Item "-no_chain" +do not use certificates in the response as additional untrusted \s-1CA\s0 +certificates. +.Ip "\fB\-no_cert_checks\fR" 4 +.IX Item "-no_cert_checks" +don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. +That is do not make any checks to see if the signers certificate is authorised +to provide the necessary status information: as a result this option should +only be used for testing purposes. +.Ip "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4 +.IX Item "-validity_period nsec, -status_age age" +these options specify the range of times, in seconds, which will be tolerated +in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and +an optional \fBnotAfter\fR time. The current time should fall between these two values, but +the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0 +responder and clients clocks may not be precisely synchronised and so such a check +may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an +acceptable error range in seconds, the default value is 5 minutes. +.Sp +If the \fBnotAfter\fR time is omitted from a response then this means that new status +information is immediately available. In this case the age of the \fBnotBefore\fR field +is checked to see it is not older than \fBage\fR seconds old. By default this additional +check is not performed. +.SH "OCSP SERVER OPTIONS" +.IX Header "OCSP SERVER OPTIONS" +.Ip "\fB\-index indexfile\fR" 4 +.IX Item "-index indexfile" +\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation +information. +.Sp +If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise +it is in client mode. The \fIrequest\fR\|(s) the responder processes can be either specified on +the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the +\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). +.Sp +If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be +present. +.Ip "\fB\-CA file\fR" 4 +.IX Item "-CA file" +\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR. +.Ip "\fB\-rsigner file\fR" 4 +.IX Item "-rsigner file" +The certificate to sign \s-1OCSP\s0 responses with. +.Ip "\fB\-rother file\fR" 4 +.IX Item "-rother file" +Additional certificates to include in the \s-1OCSP\s0 response. +.Ip "\fB\-resp_no_certs\fR" 4 +.IX Item "-resp_no_certs" +Don't include any certificates in the \s-1OCSP\s0 response. +.Ip "\fB\-resp_key_id\fR" 4 +.IX Item "-resp_key_id" +Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name. +.Ip "\fB\-rkey file\fR" 4 +.IX Item "-rkey file" +The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the +\&\fBrsigner\fR option is used. +.Ip "\fB\-port portnum\fR" 4 +.IX Item "-port portnum" +Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR +option. +.Ip "\fB\-nrequest number\fR" 4 +.IX Item "-nrequest number" +The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. +.Ip "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4 +.IX Item "-nmin minutes, -ndays days" +Number of minutes or days when fresh revocation information is available: used in the +\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is +omitted meaning fresh revocation information is immediately available. +.SH "OCSP Response verification." +.IX Header "OCSP Response verification." +\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560\s0. +.PP +Initially the \s-1OCSP\s0 responder certificate is located and the signature on +the \s-1OCSP\s0 request checked using the responder certificate's public key. +.PP +Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate +building up a certificate chain in the process. The locations of the trusted +certificates used to build the chain can be specified by the \fBCAfile\fR +and \fBCApath\fR options or they will be looked for in the standard OpenSSL +certificates directory. +.PP +If the initial verify fails then the \s-1OCSP\s0 verify process halts with an +error. +.PP +Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0 +responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds. +.PP +Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing +\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning +extended key usage is present in the \s-1OCSP\s0 responder certificate then the +\&\s-1OCSP\s0 verify succeeds. +.PP +Otherwise the root \s-1CA\s0 of the \s-1OCSP\s0 responders \s-1CA\s0 is checked to see if it +is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0 verify succeeds. +.PP +If none of these checks is successful then the \s-1OCSP\s0 verify fails. +.PP +What this effectively means if that if the \s-1OCSP\s0 responder certificate is +authorised directly by the \s-1CA\s0 it is issuing revocation information about +(and it is correctly configured) then verification will succeed. +.PP +If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about +multiple CAs and has its own separate certificate chain then its root +\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example: +.PP +.Vb 1 +\& openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem +.Ve +Alternatively the responder certificate itself can be explicitly trusted +with the \fB\-VAfile\fR option. +.SH "NOTES" +.IX Header "NOTES" +As noted, most of the verify options are for testing or debugging purposes. +Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global +\&\s-1VA\s0') \fB\-VAfile\fR options need to be used. +.PP +The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is +not really usable as a full \s-1OCSP\s0 responder. It contains only a very +simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0 +queries. It also handles requests serially meaning it cannot respond to +new requests until it has processed the current one. The text index file +format of revocation is also inefficient for large quantities of revocation +data. +.PP +It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0 +script using the \fBrespin\fR and \fBrespout\fR options. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Create an \s-1OCSP\s0 request and write it to a file: +.PP +.Vb 1 +\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der +.Ve +Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the +response to a file and print it out in text form +.PP +.Vb 2 +\& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e +\& -url http://ocsp.myhost.com/ -resp_text -respout resp.der +.Ve +Read in an \s-1OCSP\s0 response and print out text form: +.PP +.Vb 1 +\& openssl ocsp -respin resp.der -text +.Ve +\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate +responder certificate. All requests and responses are printed to a file. +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem +\& -text -out log.txt +.Ve +As above but exit after processing one request: +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem +\& -nrequest 1 +.Ve +Query status information using internally generated request: +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem +\& -issuer demoCA/cacert.pem -serial 1 +.Ve +Query status information using request read from a file, write response to a +second file. +.PP +.Vb 2 +\& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem +\& -reqin req.der -respout resp.der +.Ve |