[openssl-users] Problems with se...rver mode of openssl ocsp

Robert Moskowitz rgm at htt-consult.com
Thu Sep 7 20:38:47 UTC 2017

On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote:
> On Thu, Sep 07, 2017, Robert Moskowitz wrote:
>> Good progress.  A few questions:
>> on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
>> The sample server test command is:
>> openssl ocsp -port -text -sha256 \
>>        -index intermediate/index.txt \
>>        -CA intermediate/certs/ca-chain.cert.pem \
>>        -rkey intermediate/private/ocsp.example.com.key.pem \
>>        -rsigner intermediate/certs/ocsp.example.com.cert.pem \
>>        -nrequest 1
>> Turns out this is a wrong format for -port.  Only the portnum is
>> allowed, not the host.  Turns out that
>> -port 2560
>> works as it seems to be listening on localhost.  But how DO you set
>> up which address to listen on?  -host seems to be only for client
>> mode, and I don't see how I would use -url.
> There is currently no option to do that.

OK.  It does listen on localhost, so I'm OK with just -port 2560.  I 
will have to send Jamie a note...

>> The -sha256 option results in the error:
>> ocsp: Digest must be before -cert or -serial
>> ocsp: Use -help for summary.
>> I don't see either -cert or -serial in that command.  If I leave the
>> hash out, it defaults to sha1.  How do I specify the hash?
> Do you mean the digest the response is signed with? Try the -rmd option if so.

No such option documented at:


but 'openssl ocsp -help' does list it.  I am assuming that I would use:

-rmd sha256

Be a bit to I get back to that part of the test



More information about the openssl-users mailing list