-
Notifications
You must be signed in to change notification settings - Fork 0
OCSP Knowledge Base
The following examples are using certificates issued by CA identified by TEST_of_ESTEID-SK_2015.pem.crt certificate. CA Certificates are available at https://www.skidsolutions.eu/resources/certificates/
OCSP responder certificates are available at https://c.sk.ee/sk_ocsp_responder_certificates/sk_ocsp_responder_certificates.zip
NB! We do not recommended to trust directly the OCSP responder certificates, as they might change. The preferred way is to build up trust chain on top of the issuing CA itself.
Example: Getting the OCSP responder certificate:
openssl ocsp -issuer TEST_of_ESTEID-SK_2015.pem.crt -cert <certificate>.pem.crt -url http://demo.sk.ee/ocsp -noverify -resp_text
Example: Validating OCSP response with OCSP responder certificate:
openssl ocsp -issuer TEST_of_ESTEID-SK_2015.pem.crt -cert <certificate>.pem.crt -url http://demo.sk.ee/ocsp -VAfile TEST_of_ESTEID-SK_2015_AIA_OCSP_RESPONDER_202310.pem
Example: Validating OCSP response with CA certificate:
openssl ocsp -issuer TEST_of_ESTEID-SK_2015.pem.crt -cert <certificate>.pem.crt -url http://demo.sk.ee/ocsp -CAfile <ica_issuer_ca>.cer
Example: No response validation
openssl ocsp -issuer TEST_of_ESTEID-SK_2015.pem.crt -cert <certificate>.pem.crt -url http://demo.sk.ee/ocsp -noverify
Using certificate serial instead of certificate file
To get the serial from the certificate, use
openssl x509 -in <certificate>.pem.crt -serial
And feed the serial to the OCSP request like that:
openssl ocsp -issuer TEST_of_ESTEID-SK_2015.pem.crt -serial 0x<certificate_serial> -url http://demo.sk.ee/ocsp -noverify