一、简介

ocsp,在线证书状态命,能够执行很多OCSP的任务,可以被用于打印请求文件和响应文件,

二、语法

openssl ocsp [-out file] [-issuer file] [-cert file] [-serial num] [-signer file] [-signkey file ]
[-sign_other file ] [-no_certs] [-req_text] [-resp_text] [-text] [-reqout file] [-respout file]
[-reqin file] [-respin file] [-nonce] [-no_nonce] [-url URL] [-host host:n] [-path] [-CApath dir]
[-CAfile file] [-VAfile file] [-validity_period n] [-status_age n] [-noverify] [-verify_other file]
[-trust_other] [-no_intern] [-no_signature_verify] [-no_cert_verify] [-no_chain] [-no_cert_checks]
[-port num] [-index file] [-CA file] [-rsigner file] [-rkey file] [-rother file] [-resp_no_certs] [-nmin n]
[-ndays n] [-resp_key_id] [-nrequest n]

选项

-out file          output filename
-issuer file issuer certificate
-cert file certificate to check
-serial n serial number to check
-signer file certificate to sign OCSP request with
-signkey file private key to sign OCSP request with
-sign_other file additional certificates to include in signed request
-no_certs don't include any certificates in signed request
-req_text print text form of request
-resp_text print text form of response
-text print text form of request and response
-reqout file write DER encoded OCSP request to "file"
-respout file write DER encoded OCSP reponse to "file"
-reqin file read DER encoded OCSP request from "file"
-respin file read DER encoded OCSP reponse from "file"
-nonce add OCSP nonce to request
-no_nonce don't add OCSP nonce to request
-url URL OCSP responder URL
-host host:n send OCSP request to host on port n
-path path to use in OCSP request
-CApath dir trusted certificates directory
-CAfile file trusted certificates file
-trusted_first use trusted certificates first when building the trust chain
-VAfile file validator certificates file
-validity_period n maximum validity discrepancy in seconds
-status_age n maximum status age in seconds
-noverify don't verify response at all
-verify_other file additional certificates to search for signer
-trust_other don't verify additional certificates
-no_intern don't search certificates contained in response for signer
-no_signature_verify don't check signature on response
-no_cert_verify don't check signing certificate
-no_chain don't chain verify response
-no_cert_checks don't do additional checks on signing certificate
-port num port to run responder on
-index file certificate status index file
-CA file CA certificate
-rsigner file responder certificate to sign responses with
-rkey file responder key to sign responses with
-rother file other certificates to include in response
-resp_no_certs don't include any certificates in response
-nmin n number of minutes before next update
-ndays n number of days before next update
-resp_key_id identify reponse by signing certificate key ID
-nrequest n number of requests to accept (default unlimited)
-<dgst alg> use specified digest in the request

三、实例

1、生成OCSP请求并写入到文件

openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
05-19 17:03