Test OCSP Services
Test the OCSP services offered by the Validation Responder using an OCSP client tool, such as the ActivID Validation Client, the Desktop Validation Client or OpenSSL (available from openssl.org). The following example uses the OpenSSL command line tool.
From the command line, type the following:
>openssl ocsp –CAfile cafile.pem –issuer ISSUER.cer –cert USER.cer
–url http://ra2400D-name/ -no_nonce
Where:
-
cafile.pem is a file in base-64 (PEM) format that contains a set of PEM-format trusted CA certificates that can be used to verify the signature on the OCSP response.
-
ISSUER.cer is a file in base-64 (PEM) format that contains the certificate of the Certificate Authority that signed the USER.cer file.
-
USER.cer is a file in base-64 (PEM) format that contains the certificate for which you want to determine the status.
-
ra2400D-name is the Validation Responder hostname.
The following is an example:
OpenSSL> ocsp -sha256/1 -no_nonce -issuer msca178-root.cer -url http://10.16.33.29:3502/ -VAfile ocsp-signature.cer -serial "0x75000002e45d6ba1bf9e50d6ad0000000002e4" Response verify OK 0x75000002e45d6ba1bf9e50d6ad0000000002e4: revoked This Update: Mar 30 20:41:20 2016 GMT Next Update: Mar 31 23:25:20 2016 GMT Revocation Time: Sep 28 22:23:26 2015 GMT OpenSSL> OpenSSL ocsp -sha256/1 -issuer msca178-root.cer -url https://10.16.33.29:3602/ -VAfile ocsp-signature.cer -serial "0x75000002e45d6ba1bf9e50d6ad0000000002e4" WARNING: no nonce in response Response verify OK 0x75000002e45d6ba1bf9e50d6ad0000000002e4: revoked This Update: Mar 30 20:41:20 2016 GMT Next Update: Mar 31 23:25:20 2016 GMT Revocation Time: Sep 28 22:23:26 2015 GMT OpenSSL> ocsp -sha256/1 -issuer msca178-root.cer -url https://10.16.33.29:3602/ocsp -VAfile ocsp-signature.cer -serial "0x75000002e45d6ba1bf9e50d6ad0000000002e4" WARNING: no nonce in response Response verify OK 0x75000002e45d6ba1bf9e50d6ad0000000002e4: revoked This Update: Mar 30 20:41:20 2016 GMT Next Update: Mar 31 23:25:20 2016 GMT Revocation Time: Sep 28 22:23:26 2015 GMT OpenSSL>