Problems with server mode of openssl ocsp

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with server mode of openssl ocsp

Robert Moskowitz
Good progress.  A few questions:

on
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html

The sample server test command is:

openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
       -index intermediate/index.txt \
       -CA intermediate/certs/ca-chain.cert.pem \
       -rkey intermediate/private/ocsp.example.com.key.pem \
       -rsigner intermediate/certs/ocsp.example.com.cert.pem \
       -nrequest 1

Turns out this is a wrong format for -port.  Only the portnum is
allowed, not the host.  Turns out that

-port 2560

works as it seems to be listening on localhost.  But how DO you set up
which address to listen on?  -host seems to be only for client mode, and
I don't see how I would use -url.

The -sha256 option results in the error:

ocsp: Digest must be before -cert or -serial
ocsp: Use -help for summary.

I don't see either -cert or -serial in that command.  If I leave the
hash out, it defaults to sha1.  How do I specify the hash?

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Problems with server mode of openssl ocsp

Dr. Stephen Henson
On Thu, Sep 07, 2017, Robert Moskowitz wrote:

> Good progress.  A few questions:
>
> on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
>
> The sample server test command is:
>
> openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
>       -index intermediate/index.txt \
>       -CA intermediate/certs/ca-chain.cert.pem \
>       -rkey intermediate/private/ocsp.example.com.key.pem \
>       -rsigner intermediate/certs/ocsp.example.com.cert.pem \
>       -nrequest 1
>
> Turns out this is a wrong format for -port.  Only the portnum is
> allowed, not the host.  Turns out that
>
> -port 2560
>
> works as it seems to be listening on localhost.  But how DO you set
> up which address to listen on?  -host seems to be only for client
> mode, and I don't see how I would use -url.
>

There is currently no option to do that.

> The -sha256 option results in the error:
>
> ocsp: Digest must be before -cert or -serial
> ocsp: Use -help for summary.
>
> I don't see either -cert or -serial in that command.  If I leave the
> hash out, it defaults to sha1.  How do I specify the hash?
>

Do you mean the digest the response is signed with? Try the -rmd option if so.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Problems with se...rver mode of openssl ocsp

Robert Moskowitz


On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote:

> On Thu, Sep 07, 2017, Robert Moskowitz wrote:
>
>> Good progress.  A few questions:
>>
>> on https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
>>
>> The sample server test command is:
>>
>> openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
>>        -index intermediate/index.txt \
>>        -CA intermediate/certs/ca-chain.cert.pem \
>>        -rkey intermediate/private/ocsp.example.com.key.pem \
>>        -rsigner intermediate/certs/ocsp.example.com.cert.pem \
>>        -nrequest 1
>>
>> Turns out this is a wrong format for -port.  Only the portnum is
>> allowed, not the host.  Turns out that
>>
>> -port 2560
>>
>> works as it seems to be listening on localhost.  But how DO you set
>> up which address to listen on?  -host seems to be only for client
>> mode, and I don't see how I would use -url.
>>
> There is currently no option to do that.

OK.  It does listen on localhost, so I'm OK with just -port 2560.  I
will have to send Jamie a note...

>> The -sha256 option results in the error:
>>
>> ocsp: Digest must be before -cert or -serial
>> ocsp: Use -help for summary.
>>
>> I don't see either -cert or -serial in that command.  If I leave the
>> hash out, it defaults to sha1.  How do I specify the hash?
>>
> Do you mean the digest the response is signed with? Try the -rmd option if so.

No such option documented at:

https://www.openssl.org/docs/man1.1.0/apps/ocsp.html

but 'openssl ocsp -help' does list it.  I am assuming that I would use:

-rmd sha256

Be a bit to I get back to that part of the test

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users