[openssl-users] Problems with server mode of openssl ocsp

Dr. Stephen Henson steve at openssl.org
Thu Sep 7 20:13:10 UTC 2017

On Thu, Sep 07, 2017, Robert Moskowitz wrote:

> Good progress.  A few questions:
> on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
> The sample server test command is:
> openssl ocsp -port -text -sha256 \
>       -index intermediate/index.txt \
>       -CA intermediate/certs/ca-chain.cert.pem \
>       -rkey intermediate/private/ocsp.example.com.key.pem \
>       -rsigner intermediate/certs/ocsp.example.com.cert.pem \
>       -nrequest 1
> Turns out this is a wrong format for -port.  Only the portnum is
> allowed, not the host.  Turns out that
> -port 2560
> works as it seems to be listening on localhost.  But how DO you set
> up which address to listen on?  -host seems to be only for client
> mode, and I don't see how I would use -url.

There is currently no option to do that.

> The -sha256 option results in the error:
> ocsp: Digest must be before -cert or -serial
> ocsp: Use -help for summary.
> I don't see either -cert or -serial in that command.  If I leave the
> hash out, it defaults to sha1.  How do I specify the hash?

Do you mean the digest the response is signed with? Try the -rmd option if so.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list