Submitting Ocsp Requests Using The Get Method - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Chapter 7. Using the Online Certificate Status Protocol Responder
Parameter
ocspMinCacheEntryDuration
ocspMaxCacheEntryDuration
ocspTimeout
Table 7.1. OCSP Parameters for server.xml
7.6. Submitting OCSP Requests Using the GET Method
OCSP requests which are smaller than 255KB can be submitted to the Online Certificate Status
Manager using a GET method, as described in RFC 2560. To submit OCSP requests over GET:
1. Generate an OCSP request for the certificate that's status is being queried. For example:
# OCSPClient server.example.com 11180 /var/lib/pki-ca/alias 'caSigningCert cert-pki-ca'
1 /export/output.txt 1
URI: /ocsp/ee/ocsp
Data Length: 68
Data: MEIwQDA+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ
44kgy35o7xW5BMzM8FTvyTwCAQE=
The Certificate System's OCSPClient tool has the format:
OCSPClient host port /path/to/CA_cert_database 'CA_signing_cert_nickname'
serial_number output_file times
An OCSP request can also be generated using OpenSSL tools, as described at
docs/apps/ocsp.html, or through a browser such as Internet Explorer 7.0.
2. Paste the URL in the address bar of a web browser to return the status information. The browser
must be able to handle OCSP requests.
https://server.example.com:11443/ocsp/ee/ocsp/MEIwQDA
+MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewd
Dnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE=
3. The OCSP Manager responds with the certificate status which the browser can interpret. The
possible statuses are GOOD, REVOKED, and UNKNOWN.
Alternatively, run the OCSP from the command line by using a tool such as wget to send the request
and checking the OCSP logs for the response. For example:
1. Generate an OCSP request for the certificate that's status is being queried.
196
Description
Sets minimum seconds before another fetch
attempt can be made. For example, if this is set
to 120, then the validity of a certificate cannot be
checked again until at least 2 minutes after the
lest validity check.
Sets the maximum number of seconds to wait
before making the next fetch attempt. This
prevents having too large a window between
validity checks.
Sets the timeout period, in seconds, for the
OCSP request.
http://openssl.org/
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?