So you have configured OCSP stapling and you want know if it’s actually working, it’s easy enough to check using the openssl s_client command: openssl s_client -connect login.live.com:443 -tls1 -tlsextdebug -status. Loading ‘screen’ into random state – done. CONNECTED(0000017C) TLS server extension “status request” (id=5), len=0

I've had the same question myself and by research as well as by practical tests I found out, that the openssl ocsp command is not able to verify complete certificate chains. You can only verify one "step" at once, so you would need to issue 24/03/2017 · I have deployed basic ocsp server from OpenSSl Cookbook by Ivan Ristic page 44 with following command $ openssl ocsp -port 9080 -index db/index -rsigner root-ocsp.crt -rkey private/root-ocsp.key -CA root-ca.crt -text Certs have following chain root-ca -> root-ocsp and root-ca -> sub-ca -> server and I want to request status of server.crt. I'm implementing an OCSP server to answer OCSP requests for my custom CA. I already implemented the invalidation of leaves certificates, with the intermediate CA certificate signing the OCSP response, and it seems to be working. However, I have troubles implementing the OCSP response to invalidate a intermediate certificate. 27/05/2020 · Using OCSP, an application makes a connection to an OCSP responder and requests the status of a certificate by passing the certificate’s serial number. The responder replies “good,” “revoked,” or “unknown.” A “good” response indicates that the certificate is valid, so far as the responder knows. This does not necessarily mean that the certificate was ever issued, just that is 2/05/2018 · For example, OCSP responders that do not have access to authoritative records for a requested certificate, such as those that generate and distribute OCSP responses in advance and thus do not have the ability to properly respond with a signed "successful" yet "unknown" response, will respond with an OCSPResponseStatus of "unauthorized". Also, in order to ensure the database of revocation

27/01/2011 · Certificatetools.com makes OCSP checking with OpenSSL quick and simple. certificatetools.com > revocation> OCSP Checker. It provides the OpenSSL command and downloads for the certificate and chain so that it can be run locally if desired.

Later, the alias openssl-cmd(1) was introduced, which made it easier to group the openssl commands using the apropos(1) command or the shell's tab completion. In order to reduce cluttering of the global manual page namespace, the manual page entries without the 'openssl-' prefix have been deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0. 12/09/2018 · This is to give an idea of how to set up OpenSSL to use OCSP. We will look into how to generate certificates, get their OCSP response from the created OCSP server and also we’ll see how to

Later, the alias openssl-cmd(1) was introduced, which made it easier to group the openssl commands using the apropos(1) command or the shell's tab completion. In order to reduce cluttering of the global manual page namespace, the manual page entries without the 'openssl-' prefix have been deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0.

2/05/2018 · For example, OCSP responders that do not have access to authoritative records for a requested certificate, such as those that generate and distribute OCSP responses in advance and thus do not have the ability to properly respond with a signed "successful" yet "unknown" response, will respond with an OCSPResponseStatus of "unauthorized". Also, in order to ensure the database of revocation Before you trust what the server is telling you (e.g. OCSP stapling), you want to trust that server in the first place, hence why OpenSSL might be verifying the server's cert first, making sure it's a valid and trusted certificate at all. Then, assuming the certificate looks valid, you would want to see if it's been revoked -- and that's when you'd handle/process the stapled OCSP response. OCSP stapling is designed to reduce the cost of an OCSP validation, both for the client and the OCSP responder, especially for large sites serving many simultaneous users. However, OCSP stapling supports only one OCSP response at a time, which is insufficient for certificate chains with intermediate CA certs. openssl ocsp -issuer CAcert_class1.pem -serial 0x -host ocsp.cacert.org:80 -CAfile cacert_both.pem The file named in -issuer must contain the CA certificate that issued the certificate in question (CAcert class 1 or 3), the file in -CAfile should contain both CAcert root certificates (and maybe other trusted CA's).