Okay. As near as I can tell (since the documentation is very spotty,
and I'm trying to work with the -help output):

On the system that you're running the OCSP responder on, you need to
run the following:

openssl ocsp -port 443 -CA cacert.pem -index indexfile -rsigner
signercert.pem -rkey signerkey.pem

indexfile is the file that contains the list of certificates, by
serial number, that are revoked.
The rsigner certificate MUST be granted OCSP responder permission by
certificate extension.

Now, as far as as a client?

openssl ocsp -url http://ocsp.responder.com/ -CApath
local/directory/name -resp_text -req_text [-serial serialnum] [-cert

I put the last two in brackets because you need to have at least one of the=

I don't know if OpenSSL is intelligent enough to read the OCSP
validation URL from the certificate or not; if it is, and you have the
certficate you want to check, then don't put the -url in. You do
still need to have a trusted CA (either as a file or a directory) to
be able to verify the return.


and if I'm horribly, horribly wrong, it's partly because I'm looking
at the 0.9.9 code, and partly because it's completely undocumented.=20
Anyone have any additional help to offer?

-Kyle H

On 2/8/06, baliw_na_sa_ssl (sent by Nabble.com) wrote:
> Does anyone knows how the ocsp functions in 0.9.7b of openssl works?
> Or even the steps in OCSP send request and response.
> Ur help is needed asap...thanks :-)
> ________________________________
> View this message in context: OCSP
> Sent from the OpenSSL - Dev forum at Nabble.com.

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org