Sortix cross-nightly manual
This manual documents Sortix cross-nightly. You can instead view this document in the latest official manual.
NAME
ocspcheck — check a certificate for validity against its OCSP responderSYNOPSIS
ocspcheck | [-Nv] [-C CAfile] [-i staplefile] [-o staplefile] file |
DESCRIPTION
The ocspcheck utility validates a PEM format certificate against the OCSP responder encoded in the certificate specified by the file argument. Normally it should be used for checking server certificates and maintaining saved OCSP responses to be used for OCSP stapling.- -C CAfile
- Specify a PEM format root certificate bundle to use for the validation of requests. By default no certificates are used beyond those in the certificate chain provided by the file argument.
- -i staplefile
- Specify an input filename from which a DER-encoded OCSP response will be read instead of fetching it from the OCSP server. A filename of ‘-’ will read the response from standard input.
- -N
- Do not use a nonce value in the OCSP request, or validate that the nonce was returned in the OCSP response. By default a nonce is always used and validated when retrieving a response from an OCSP server. The use of this flag is a security risk as it will allow OCSP responses to be replayed. It should not be used unless the OCSP server does not support the use of OCSP nonces.
- -o staplefile
- Specify an output filename where the DER encoded response from the OCSP server will be written, if the OCSP response validates. A filename of ‘-’ will write the response to standard output. By default the response is not saved.
- -v
- Increase verbosity. This flag may be specified multiple times to get more verbose output. The default behaviour is to be silent unless something goes wrong.