5. openssl ocsp -help

openssl ocsp -help


  • Online Certificate Status Protocol utility.

    $ openssl ocsp -help
Usage: ocsp [options]
Valid options are:
 -help                   Display this summary
 -out outfile            Output filename
 -timeout +int           Connection timeout (in seconds) to the OCSP responder
 -url val                Responder URL
 -host val               TCP/IP hostname:port to connect to
 -port +int              Port to run responder on
 -ignore_err             Ignore error on OCSP request or response and continue running
 -noverify               Don't verify response at all
 -nonce                  Add OCSP nonce to request
 -no_nonce               Don't add OCSP nonce to request
 -resp_no_certs          Don't include any certificates in response
 -resp_key_id            Identify response by signing certificate key ID
 -multi +int             run multiple responder processes
 -no_certs               Don't include any certificates in signed request
 -no_signature_verify    Don't check signature on response
 -no_cert_verify         Don't check signing certificate
 -no_chain               Don't chain verify response
 -no_cert_checks         Don't do additional checks on signing certificate
 -no_explicit            Do not explicitly check the chain, just verify the root
 -trust_other            Don't verify additional certificates
 -no_intern              Don't search certificates contained in response for signer
 -badsig                 Corrupt last byte of loaded OSCP response signature (for test)
 -text                   Print text form of request and response
 -req_text               Print text form of request
 -resp_text              Print text form of response
 -reqin val              File with the DER-encoded request
 -respin val             File with the DER-encoded response
 -signer infile          Certificate to sign OCSP request with
 -VAfile infile          Validator certificates file
 -sign_other infile      Additional certificates to include in signed request
 -verify_other infile    Additional certificates to search for signer
 -CAfile infile          Trusted certificates file
 -CApath infile          Trusted certificates directory
 -no-CAfile              Do not load the default certificates file
 -no-CApath              Do not load certificates from the default certificates directory
 -validity_period ulong  Maximum validity discrepancy in seconds
 -status_age +int        Maximum status age in seconds
 -signkey val            Private key to sign OCSP request with
 -reqout val             Output file for the DER-encoded request
 -respout val            Output file for the DER-encoded response
 -path val               Path to use in OCSP request
 -issuer infile          Issuer certificate
 -cert infile            Certificate to check
 -serial val             Serial number to check
 -index infile           Certificate status index file
 -CA infile              CA certificate
 -nmin +int              Number of minutes before next update
 -nrequest +int          Number of requests to accept (default unlimited)
 -ndays +int             Number of days before next update
 -rsigner infile         Responder certificate to sign responses with
 -rkey infile            Responder key to sign responses with
 -rother infile          Other certificates to include in response
 -rmd val                Digest Algorithm to use in signature of OCSP response
 -rsigopt val            OCSP response signature parameter in n:v form
 -header val             key=value header to add
 -*                      Any supported digest algorithm (sha1,sha256, ... )
 -policy val             adds policy to the acceptable policy set
 -purpose val            certificate chain purpose
 -verify_name val        verification policy name
 -verify_depth int       chain depth limit
 -auth_level int         chain authentication security level
 -attime intmax          verification epoch time
 -verify_hostname val    expected peer hostname
 -verify_email val       expected peer email
 -verify_ip val          expected peer IP address
 -ignore_critical        permit unhandled critical extensions
 -issuer_checks          (deprecated)
 -crl_check              check leaf certificate revocation
 -crl_check_all          check full chain revocation
 -policy_check           perform rfc5280 policy checks
 -explicit_policy        set policy variable require-explicit-policy
 -inhibit_any            set policy variable inhibit-any-policy
 -inhibit_map            set policy variable inhibit-policy-mapping
 -x509_strict            disable certificate compatibility work-arounds
 -extended_crl           enable extended CRL features
 -use_deltas             use delta CRLs
 -policy_print           print policy processing diagnostics
 -check_ss_sig           check root CA self-signatures
 -trusted_first          search trust store first (default)
 -suiteB_128_only        Suite B 128-bit-only mode
 -suiteB_128             Suite B 128-bit mode allowing 192-bit algorithms
 -suiteB_192             Suite B 192-bit-only mode
 -partial_chain          accept chains anchored by intermediate trust-store CAs
 -no_alt_chains          (deprecated)
 -no_check_time          ignore certificate validity time
 -allow_proxy_certs      allow the use of proxy certificates
security manpages 48
Log in to reply
 

© Lightnetics 2024