Lines Matching full:s0
143 .SS "\s-1OCSP\s0 Client"
164 [\fB\-url\fR \fI\s-1URL\s0\fR]
185 .SS "\s-1OCSP\s0 Server"
246 The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
247 determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0).
249 This command performs many common \s-1OCSP\s0 tasks. It can be used
251 to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
256 .SS "\s-1OCSP\s0 Client Options"
268 This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options.
285 Sign the \s-1OCSP\s0 request using the certificate specified in the \fB\-signer\fR
289 the \s-1OCSP\s0 request is not signed.
293 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
296 Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
297 Normally if an \s-1OCSP\s0 request is input using the \fB\-reqin\fR option no
299 If an \s-1OCSP\s0 request is being created (using \fB\-cert\fR and \fB\-serial\fR options)
303 Print out the text form of the \s-1OCSP\s0 request, response or both respectively.
306 Write out the \s-1DER\s0 encoded certificate request or response to \fIfile\fR.
309 Read \s-1OCSP\s0 request or response file from \fIfile\fR. These option are ignored
310 if \s-1OCSP\s0 request or response creation is implied by other options (for example
314 Specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be sp…
319 If the \fB\-host\fR option is present then the \s-1OCSP\s0 request is sent to the host
320 \&\fIhostname\fR on port \fIport\fR. The \fB\-path\fR option specifies the \s-1HTTP\s0 pathname
325 The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1OCSP\s0 server unless \fB\-no_proxy\fR
331 in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS…
334 List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
335 not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
340 Adds the header \fIname\fR with the specified \fIvalue\fR to the \s-1OCSP\s0 request
345 Connection timeout to the \s-1OCSP\s0 responder in seconds.
346 On \s-1POSIX\s0 systems, when running as an \s-1OCSP\s0 responder, this option also limits
352 File or \s-1URI\s0 containing additional certificates to search
354 the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
357 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
363 root \s-1CA\s0 is not appropriate.
366 File or \s-1URI\s0 containing explicitly trusted responder certificates.
368 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
371 Don't attempt to verify the \s-1OCSP\s0 response signature or the nonce
376 Ignore certificates contained in the \s-1OCSP\s0 response when searching for the
381 Don't check the signature on the \s-1OCSP\s0 response. Since this option
382 tolerates invalid signatures on \s-1OCSP\s0 responses it will normally only be
386 Don't verify the \s-1OCSP\s0 response signers certificate at all. Since this
387 option allows the \s-1OCSP\s0 response to be signed by any certificate it should
391 Do not use certificates in the response as additional untrusted \s-1CA\s0
395 Do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing.
398 Don't perform any additional checks on the \s-1OCSP\s0 response signers certificate.
405 in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR
408 seconds. In practice the \s-1OCSP\s0 responder and clients clocks may not be precisely
420 in the \s-1OCSP\s0 response. Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can
425 \&\s-1OCSP\s0 request. Any digest supported by the OpenSSL \fBdgst\fR command can be used.
426 The default is \s-1SHA\-1.\s0 This option may be used multiple times to specify the
444 .SS "\s-1OCSP\s0 Server Options"
455 or via external \s-1OCSP\s0 clients (if \fB\-port\fR or \fB\-url\fR is specified).
461 \&\s-1CA\s0 certificate corresponding to the revocation information in the index
463 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
466 The certificate to sign \s-1OCSP\s0 responses with.
469 The private key to sign \s-1OCSP\s0 responses with: if not present the file
477 Additional certificates to include in the \s-1OCSP\s0 response.
478 The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
481 Pass options to the signature algorithm when signing \s-1OCSP\s0 responses.
492 Don't include any certificates in the \s-1OCSP\s0 response.
495 Identify the signer certificate using the key \s-1ID,\s0 default is to use the
499 Port to listen for \s-1OCSP\s0 requests on. The port may also be specified
504 Ignore malformed requests or responses: When acting as an \s-1OCSP\s0 client, retry if
505 a malformed response is received. When acting as an \s-1OCSP\s0 responder, continue
509 The \s-1OCSP\s0 server will exit after receiving \fInumber\fR requests, default unlimited.
512 Run the specified number of \s-1OCSP\s0 responder child processes, with the parent
514 Child processes will detect changes in the \s-1CA\s0 index file and automatically
517 each child is willing to wait for the client's \s-1OCSP\s0 response.
518 This option is available on \s-1POSIX\s0 systems (that support the \fBfork()\fR and other
528 \&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0
530 Initially the \s-1OCSP\s0 responder certificate is located and the signature on
531 the \s-1OCSP\s0 request checked using the responder certificate's public key.
533 Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate
539 If the initial verify fails then the \s-1OCSP\s0 verify process halts with an
542 Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0
543 responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds.
545 Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing
546 \&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning
547 extended key usage is present in the \s-1OCSP\s0 responder certificate then the
548 \&\s-1OCSP\s0 verify succeeds.
550 Otherwise, if \fB\-no_explicit\fR is \fBnot\fR set the root \s-1CA\s0 of the \s-1OCSP\s0 responders
551 \&\s-1CA\s0 is checked to see if it is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0
554 If none of these checks is successful then the \s-1OCSP\s0 verify fails.
556 What this effectively means if that if the \s-1OCSP\s0 responder certificate is
557 authorised directly by the \s-1CA\s0 it is issuing revocation information about
560 If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about
562 \&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example:
574 is a 'global \s-1VA\s0') \fB\-VAfile\fR options need to be used.
576 The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is
577 not really usable as a full \s-1OCSP\s0 responder. It contains only a very
578 simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0
584 It is possible to run this command in responder mode via a \s-1CGI\s0
588 Create an \s-1OCSP\s0 request and write it to a file:
594 Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the
602 Read in an \s-1OCSP\s0 response and print out text form:
608 \&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate
646 in the file \s-1LICENSE\s0 in the source distribution or at