[openssl-users] Problems with se...rver mode of openssl ocsp
Robert Moskowitz
rgm at htt-consult.com
Thu Sep 7 20:38:47 UTC 2017
On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote:
> On Thu, Sep 07, 2017, Robert Moskowitz wrote:
>
>> Good progress. A few questions:
>>
>> on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
>>
>> The sample server test command is:
>>
>> openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
>> -index intermediate/index.txt \
>> -CA intermediate/certs/ca-chain.cert.pem \
>> -rkey intermediate/private/ocsp.example.com.key.pem \
>> -rsigner intermediate/certs/ocsp.example.com.cert.pem \
>> -nrequest 1
>>
>> Turns out this is a wrong format for -port. Only the portnum is
>> allowed, not the host. Turns out that
>>
>> -port 2560
>>
>> works as it seems to be listening on localhost. But how DO you set
>> up which address to listen on? -host seems to be only for client
>> mode, and I don't see how I would use -url.
>>
> There is currently no option to do that.
OK. It does listen on localhost, so I'm OK with just -port 2560. I
will have to send Jamie a note...
>> The -sha256 option results in the error:
>>
>> ocsp: Digest must be before -cert or -serial
>> ocsp: Use -help for summary.
>>
>> I don't see either -cert or -serial in that command. If I leave the
>> hash out, it defaults to sha1. How do I specify the hash?
>>
> Do you mean the digest the response is signed with? Try the -rmd option if so.
No such option documented at:
https://www.openssl.org/docs/man1.1.0/apps/ocsp.html
but 'openssl ocsp -help' does list it. I am assuming that I would use:
-rmd sha256
Be a bit to I get back to that part of the test
thanks
Bob
More information about the openssl-users
mailing list