Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 190

Chapter 6. Online Certificate Status Protocol Responder
2. Paste the URL in the address bar of a web browser to return the status information. The browser
must be able to handle OCSP requests.
https://server.example.com:11443/ocsp/ee/ocsp/MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewd
Dnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=
3. The OCSP Manager responds with the certificate status which the browser can interpret. The
possible statuses are GOOD, REVOKED, and UNKNOWN.
Alternatively, run the OCSP from the command line by using a tool such as wget to send the request
and checking the OCSP logs for the response. For example:
1. Generate an OCSP request for the certificate that's status is being queried.
# OCSPClient server.example.com 11443 /var/lib/pki-ca/alias 'caSigningCert cert-pki-ca' 1
/export/output.txt 1
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ
44kgy35o7xW5BMzM8FTvyTwCAQE=
2. Connect to the OCSP Manager using wget to send the OCSP request.
wget https://server.example.com:11443/ocsp/ee/ocsp/MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4J
pmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE= --no-check-certificate
--16:34:34-- https://server.example.com:11443/ocsp/ee/ocsp/MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABky
iCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=
=>`MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE='
Resolving server.example.com... 192.168.123.224
Connecting to server.example.com|192.168.123.224|:11443... connected.
WARNING: Certificate verification error for server.example.com: self signed certificate
in certificate chain
HTTP request sent, awaiting response... 200 OK
Length: 2,362 (2.3K) [application/ocsp-response]
100%[======================================================================>] 2,362 --.--
K/s
16:34:34 (474.43 MB/s) - `MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewd
Dnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=' saved [2362/2362]
3. The status for the specified certificate is written to the OCSP's debug log and can be GoodInfo,
RevokeInfo, or UnknownInfo.
[16/Jul/2008:16:48:47][http-11443-Processor24]: Serial Number: 1
Status: com.netscape.cmsutil.ocsp.GoodInfo
For certificates issued by a 7.1 CA with the Authority Information Access extension to be sent to the
OCSP with the GET method, a redirect needs to be created to forward the requests to the appropriate
Section 6.11, "Setting up a Redirect for Certificates Issued in Certificate System
URL, as described in
7.1 and Earlier".
168