[openssl-users] generate TLS OCSP responses for a time in the past using -attime not possible?

[Walter H.]

It works like this, as I do it like this:

openssl ocsp -index db.list -CA ca.pem -rsigner ocsprsp.pem -rkey 
ocsprsp.key -nmin 45 -resp_key_id -noverify -reqin reqin.bin -respout 
reqout.bin

db.list is generated by using openssl with the ca parameter
ca.pem is the certificate that signed the OCSP responder certificate and 
the certificate that is in db.list
ocsprsp.pem and ocsprsp.key are the OCSP responder certificate
reqin.bin is the OCSP request, that comes typically with a http request
respout.bin is the OCSP response that is typically sent out with a http 
response



On 05.12.2014 07:59, Albers, Thorsten wrote:
>
> Hi,
>
> for test purposes I would like to create OCSP responses for a time in 
> the past, let's say for 5 days in the past. In the documentation for 
> the ocsp command there is a list of verification options a client 
> might use / request.
>
> I would have expected that a command could look like following:
>
> openssl ocsp -sha256 -issuer Root_A_cert.cer -cert Sub1_A_cert.cer 
> -reqout Sub1_OCSPRequest.bin -text -attime <old timestamp>
>
> with <old timestamp> being a time in the past.
>
> But all I get is openssl telling me that the 'attime' is no valid 
> parameter. Am I doing something wrong, or is this not implemented yet?
>
> Gruß,
>
> Thorsten
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141205/97c6f9d6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5971 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141205/97c6f9d6/attachment-0001.bin>