Submitting Ocsp Requests Using The Get Method - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.3 - ADMINISTRATION:
- Manual (98 pages) ,
- Release note (24 pages) ,
- Manual (92 pages)
Table of Contents
Advertisement
Open the Online Certificate Status Manager agent services page, and click the List Certificate
Authorities link.
The page should show information about the Certificate Manager configured to publish CRLs to
the Online Certificate Status Manager. The page also summarizes the Online Certificate Status
Manager's activity since it was last started.
8. Revoke the certificate.
9. Verify the certificate in the browser or client. The server should return that the certificate has been
revoked.
10. Check the Certificate Manager's OCSP-service status again to verify that these things happened:
• The browser sent an OCSP query to the Certificate Manager.
• The Certificate Manager sent an OCSP response to the browser.
• The browser used that response to validate the certificate and returned its status, that the
certificate could not be verified.
11. Check the independent OCSP service subsystem again to verify that these things happened:
• The Certificate Manager published the CRL to the Online Certificate Status Manager.
• The browser sent an OCSP response to the Online Certificate Status Manager.
• The Online Certificate Status Manager sent an OCSP response to the browser.
• The browser used that response to validate the certificate and returned its status, that the
certificate could not be verified.
6.10. Submitting OCSP Requests Using the GET Method
OCSP requests which are smaller than 255KB can be submitted to the Online Certificate Status
Manager using a GET method, as described in RFC 2560. To submit OCSP requests over GET:
1. Generate an OCSP request for the certificate that's status is being queried. For example:
# OCSPClient server.example.com 11443 /var/lib/pki-ca/alias 'caSigningCert cert-pki-ca' 1
/export/output.txt 1
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ
44kgy35o7xW5BMzM8FTvyTwCAQE=
The Certificate System's OCSPClient tool has the format:
OCSPClient host port /path/to/CA_cert_database 'CA_signing_cert_nickname' serial_number
output_file times
An OCSP request can also be generated using OpenSSL tools, as described at
docs/apps/ocsp.html, or through a browser such as Internet Explorer 7.0.
Submitting OCSP Requests Using the GET Method
http://openssl.org/
167
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.3 - ADMINISTRATION and is the answer not in the manual?
Questions and answers