How do I request OCSP?

How do I request OCSP?

2 Answers

1. Extract server and issuer certificates from somewhere (SSL connection most likely)
2. Extract the OCSP server list from the server certificate.
3. Generate a OCSP request using the server and issuer certificates.
4. Send the request to the OCSP server and get a response back.
5. Optionally validate the response.

What is OCSP request?

OCSP stands for Online Certificate Status Protocol and is used by Certificate Authorities to check the revocation status of an X. 509 digital certificate.

Which are valid OCSP responses?

The Online Certificate Status Protocol (OCSP) is used to check the revocation status of an X. 509 digital certificate. To check if the certificate’s serial number sent in the request is valid, click on the response packet. …

Where can I find the OCSP responder certificate?

Initially the OCSP responder certificate is located and the signature on the OCSP request checked using the responder certificate’s public key. Then a normal certificate verify is performed on the OCSP responder certificate building up a certificate chain in the process.

How to check certificate revocation status using OCSP?

CRL then OCSP – If a certificate’s revocation status cannot be determined by checking available CRLs, its OCSP status is checked. For more customization options (e.g. fail on Unknown revocation status, using nonce, setting response timeout interval, response cache), refer to the Oracle documentation.

What does the OCSP stand for in SSL?

The OCSP, or Online Certificate Status Protocol, is a protocol designed to deliver the revocation status of an X.509 SSL or TLS certificate. In theory, it is more performant than its CRL (Certificate Revocation List) alternative.

Can a OpenSSL command serve as an OCSP server?

The openssl ocsp command and utility can print out OCSP requests and responses as well as create requests and query an OCSP repsonder and OCSP test. It can also act as an OCSP server or responder itself.