[openssl-users] generate TLS OCSP responses for a time in the past using -attime not possible?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-users] generate TLS OCSP responses for a time in the past using -attime not possible?

Albers, Thorsten

Hi,

 

for test purposes I would like to create OCSP responses for a time in the past, let’s say for 5 days in the past. In the documentation for the ocsp command there is a list of verification options a client might use / request.

 

I would have expected that a command could look like following:

 

openssl ocsp -sha256 -issuer Root_A_cert.cer -cert Sub1_A_cert.cer -reqout Sub1_OCSPRequest.bin -text -attime <old timestamp>

 

with <old timestamp> being a time in the past.

 

But all I get is openssl telling me that the ‘attime’ is no valid parameter. Am I doing something wrong, or is this not implemented yet?

 

Gruß,

Thorsten

 


_______________________________________________
openssl-users mailing list
[hidden email]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] generate TLS OCSP responses for a time in the past using -attime not possible?

Jaime Hablutzel Egoavil


Maybe not an straight answer to your question but go and read the openssl source code, it is not really hard to understand and you can check all the supported parameters

Enviado desde mi Android.

El dic 5, 2014 2:03 AM, "Albers, Thorsten" <[hidden email]> escribió:

Hi,

 

for test purposes I would like to create OCSP responses for a time in the past, let’s say for 5 days in the past. In the documentation for the ocsp command there is a list of verification options a client might use / request.

 

I would have expected that a command could look like following:

 

openssl ocsp -sha256 -issuer Root_A_cert.cer -cert Sub1_A_cert.cer -reqout Sub1_OCSPRequest.bin -text -attime <old timestamp>

 

with <old timestamp> being a time in the past.

 

But all I get is openssl telling me that the ‘attime’ is no valid parameter. Am I doing something wrong, or is this not implemented yet?

 

Gruß,

Thorsten

 


_______________________________________________
openssl-users mailing list
[hidden email]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users


_______________________________________________
openssl-users mailing list
[hidden email]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] generate TLS OCSP responses for a time in the past using -attime not possible?

Walter H.
In reply to this post by Albers, Thorsten
It works like this, as I do it like this:

openssl ocsp -index db.list -CA ca.pem -rsigner ocsprsp.pem -rkey ocsprsp.key -nmin 45 -resp_key_id -noverify -reqin reqin.bin -respout reqout.bin

db.list is generated by using openssl with the ca parameter
ca.pem is the certificate that signed the OCSP responder certificate and the certificate that is in db.list
ocsprsp.pem and ocsprsp.key are the OCSP responder certificate
reqin.bin is the OCSP request, that comes typically with a http request
respout.bin is the OCSP response that is typically sent out with a http response



On 05.12.2014 07:59, Albers, Thorsten wrote:

Hi,

 

for test purposes I would like to create OCSP responses for a time in the past, let’s say for 5 days in the past. In the documentation for the ocsp command there is a list of verification options a client might use / request.

 

I would have expected that a command could look like following:

 

openssl ocsp -sha256 -issuer Root_A_cert.cer -cert Sub1_A_cert.cer -reqout Sub1_OCSPRequest.bin -text -attime <old timestamp>

 

with <old timestamp> being a time in the past.

 

But all I get is openssl telling me that the ‘attime’ is no valid parameter. Am I doing something wrong, or is this not implemented yet?

 

Gruß,

Thorsten



_______________________________________________
openssl-users mailing list
[hidden email]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] generate TLS OCSP responses for a time in the past using -attime not possible?

Matt Caswell-2
In reply to this post by Albers, Thorsten

On 05/12/14 06:59, Albers, Thorsten wrote:

Hi,

 

for test purposes I would like to create OCSP responses for a time in the past, let’s say for 5 days in the past. In the documentation for the ocsp command there is a list of verification options a client might use / request.

 

I would have expected that a command could look like following:

 

openssl ocsp -sha256 -issuer Root_A_cert.cer -cert Sub1_A_cert.cer -reqout Sub1_OCSPRequest.bin -text -attime <old timestamp>

 

with <old timestamp> being a time in the past.

 

But all I get is openssl telling me that the ‘attime’ is no valid parameter. Am I doing something wrong, or is this not implemented yet?


-attime for ocsp is only implemented in version 1.0.2 (not yet released) and above.

Matt


_______________________________________________
openssl-users mailing list
[hidden email]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-users