[openssl-users] Problems with server mode of openssl ocsp
Dr. Stephen Henson
steve at openssl.org
Thu Sep 7 20:13:10 UTC 2017
On Thu, Sep 07, 2017, Robert Moskowitz wrote:
> Good progress. A few questions:
> on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
> The sample server test command is:
> openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
> -index intermediate/index.txt \
> -CA intermediate/certs/ca-chain.cert.pem \
> -rkey intermediate/private/ocsp.example.com.key.pem \
> -rsigner intermediate/certs/ocsp.example.com.cert.pem \
> -nrequest 1
> Turns out this is a wrong format for -port. Only the portnum is
> allowed, not the host. Turns out that
> -port 2560
> works as it seems to be listening on localhost. But how DO you set
> up which address to listen on? -host seems to be only for client
> mode, and I don't see how I would use -url.
There is currently no option to do that.
> The -sha256 option results in the error:
> ocsp: Digest must be before -cert or -serial
> ocsp: Use -help for summary.
> I don't see either -cert or -serial in that command. If I leave the
> hash out, it defaults to sha1. How do I specify the hash?
Do you mean the digest the response is signed with? Try the -rmd option if so.
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users