summaryrefslogtreecommitdiff
path: root/doc/invoke-ocsptool.texi
diff options
context:
space:
mode:
Diffstat (limited to 'doc/invoke-ocsptool.texi')
-rw-r--r--doc/invoke-ocsptool.texi245
1 files changed, 134 insertions, 111 deletions
diff --git a/doc/invoke-ocsptool.texi b/doc/invoke-ocsptool.texi
index a4f9b95ba5..c2f87d277c 100644
--- a/doc/invoke-ocsptool.texi
+++ b/doc/invoke-ocsptool.texi
@@ -6,25 +6,32 @@
#
# DO NOT EDIT THIS FILE (invoke-ocsptool.texi)
#
-# It has been AutoGen-ed December 29, 2012 at 01:05:09 PM by AutoGen 5.12
+# It has been AutoGen-ed January 1, 2013 at 09:07:57 PM by AutoGen 5.16
# From the definitions ../src/ocsptool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
+
Ocsptool is a program that can parse and print information about
OCSP requests/responses, generate requests and verify responses.
This section was generated by @strong{AutoGen},
using the @code{agtexi-cmd} template and the option descriptions for the @code{ocsptool} program.
-
-This software is released under the GNU General Public License.
+This software is released under the GNU General Public License, version 3 or later.
@anchor{ocsptool usage}
-@subsubheading ocsptool usage help (-?)
+@subsubheading ocsptool help/usage (-h)
+@cindex ocsptool help
-This is the automatically generated usage text for ocsptool:
+This is the automatically generated usage text for ocsptool.
+The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print
+the usage text by passing it through a pager program.
+@code{more-help} is disabled on platforms without a working
+@code{fork(2)} function. The @code{PAGER} environment variable is
+used to select the program, defaulting to @file{more}. Both will exit
+with a status code of 0.
@exampleindent 0
@example
@@ -83,11 +90,19 @@ please send bug reports to: bug-gnutls@@gnu.org
@end example
@exampleindent 4
+@anchor{ocsptool debug}
+@subsubheading debug option (-d)
+
+This is the ``enable debugging.'' option.
+This option takes an argument number.
+Specifies the debug level.
@anchor{ocsptool ask}
@subsubheading ask option
This is the ``ask an ocsp/http server on a certificate validity'' option.
+This option takes an optional argument string @file{server name|url}.
+@noindent
This option has some usage constraints. It:
@itemize @bullet
@item
@@ -96,141 +111,149 @@ load-cert, load-issuer.
@end itemize
Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.
+@anchor{ocsptool exit status}
+@subsubheading ocsptool exit status
-@anchor{ocsptool debug}
-@subsubheading debug option (-d)
-
-This is the ``enable debugging.'' option.
-Specifies the debug level.
-
-@anchor{ocsptool generate-request}
-@subsubheading generate-request option (-q)
-
-This is the ``generate an ocsp request'' option.
-
-
-@anchor{ocsptool inder}
-@subsubheading inder option
-
-This is the ``use der format for input certificates and private keys'' option.
-
-
-@anchor{ocsptool infile}
-@subsubheading infile option
-
-This is the ``input file'' option.
-
-
-@anchor{ocsptool load-cert}
-@subsubheading load-cert option
-
-This is the ``read certificate to check from file'' option.
-
-
-@anchor{ocsptool load-issuer}
-@subsubheading load-issuer option
-
-This is the ``read issuer certificate from file'' option.
-
-
-@anchor{ocsptool load-request}
-@subsubheading load-request option (-Q)
-
-This is the ``read der encoded ocsp request from file'' option.
-
-
-@anchor{ocsptool load-response}
-@subsubheading load-response option (-S)
-
-This is the ``read der encoded ocsp response from file'' option.
-
-
-@anchor{ocsptool load-signer}
-@subsubheading load-signer option
-
-This is the ``read ocsp response signer from file'' option.
-
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must not appear in combination with any of the following options:
-load-trust.
-@end itemize
-
-
+One of the following exit values will be returned:
+@table @samp
+@item 0 (EXIT_SUCCESS)
+Successful program execution.
+@item 1 (EXIT_FAILURE)
+The operation failed or the command syntax was not valid.
+@end table
+@anchor{ocsptool See Also}
+@subsubheading ocsptool See Also
+ certtool (1)
-@anchor{ocsptool load-trust}
-@subsubheading load-trust option
+@anchor{ocsptool Examples}
+@subsubheading ocsptool Examples
+@subsubheading Print information about an OCSP request
-This is the ``read ocsp trust anchors from file'' option.
+To parse an OCSP request and print information about the content, the
+@code{-i} or @code{--request-info} parameter may be used as follows.
+The @code{-Q} parameter specify the name of the file containing the
+OCSP request, and it should contain the OCSP request in binary DER
+format.
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must not appear in combination with any of the following options:
-load-signer.
-@end itemize
+@example
+$ ocsptool -i -Q ocsp-request.der
+@end example
+The input file may also be sent to standard input like this:
+@example
+$ cat ocsp-request.der | ocsptool --request-info
+@end example
-@anchor{ocsptool nonce}
-@subsubheading nonce option
+@subsubheading Print information about an OCSP response
-This is the ``don't add nonce to ocsp request'' option.
+Similar to parsing OCSP requests, OCSP responses can be parsed using
+the @code{-j} or @code{--response-info} as follows.
+@example
+$ ocsptool -j -Q ocsp-response.der
+$ cat ocsp-response.der | ocsptool --response-info
+@end example
-@anchor{ocsptool outfile}
-@subsubheading outfile option
+@subsubheading Generate an OCSP request
-This is the ``output file'' option.
+The @code{-q} or @code{--generate-request} parameters are used to
+generate an OCSP request. By default the OCSP request is written to
+standard output in binary DER format, but can be stored in a file
+using @code{--outfile}. To generate an OCSP request the issuer of the
+certificate to check needs to be specified with @code{--load-issuer}
+and the certificate to check with @code{--load-cert}. By default PEM
+format is used for these files, although @code{--inder} can be used to
+specify that the input files are in DER format.
+@example
+$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \
+ --outfile ocsp-request.der
+@end example
-@anchor{ocsptool request-info}
-@subsubheading request-info option (-i)
+When generating OCSP requests, the tool will add an OCSP extension
+containing a nonce. This behaviour can be disabled by specifying
+@code{--no-nonce}.
-This is the ``print information on a ocsp request'' option.
+@subsubheading Verify signature in OCSP response
+To verify the signature in an OCSP response the @code{-e} or
+@code{--verify-response} parameter is used. The tool will read an
+OCSP response in DER format from standard input, or from the file
+specified by @code{--load-response}. The OCSP response is verified
+against a set of trust anchors, which are specified using
+@code{--load-trust}. The trust anchors are concatenated certificates
+in PEM format. The certificate that signed the OCSP response needs to
+be in the set of trust anchors, or the issuer of the signer
+certificate needs to be in the set of trust anchors and the OCSP
+Extended Key Usage bit has to be asserted in the signer certificate.
-@anchor{ocsptool response-info}
-@subsubheading response-info option (-j)
+@example
+$ ocsptool -e --load-trust issuer.pem \
+ --load-response ocsp-response.der
+@end example
-This is the ``print information on a ocsp response'' option.
+The tool will print status of verification.
+@subsubheading Verify signature in OCSP response against given certificate
-@anchor{ocsptool verbose}
-@subsubheading verbose option (-V)
+It is possible to override the normal trust logic if you know that a
+certain certificate is supposed to have signed the OCSP response, and
+you want to use it to check the signature. This is achieved using
+@code{--load-signer} instead of @code{--load-trust}. This will load
+one certificate and it will be used to verify the signature in the
+OCSP response. It will not check the Extended Key Usage bit.
-This is the ``more verbose output'' option.
+@example
+$ ocsptool -e --load-signer ocsp-signer.pem \
+ --load-response ocsp-response.der
+@end example
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-may appear an unlimited number of times.
-@end itemize
+This approach is normally only relevant in two situations. The first
+is when the OCSP response does not contain a copy of the signer
+certificate, so the @code{--load-trust} code would fail. The second
+is if you want to avoid the indirect mode where the OCSP response
+signer certificate is signed by a trust anchor.
+@subsubheading Real-world example
+Here is an example of how to generate an OCSP request for a
+certificate and to verify the response. For illustration we'll use
+the @code{blog.josefsson.org} host, which (as of writing) uses a
+certificate from CACert. First we'll use @code{gnutls-cli} to get a
+copy of the server certificate chain. The server is not required to
+send this information, but this particular one is configured to do so.
-@anchor{ocsptool verify-response}
-@subsubheading verify-response option (-e)
+@example
+$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem
+@end example
-This is the ``verify response'' option.
+Use a text editor on @code{chain.pem} to create three files for each
+separate certificates, called @code{cert.pem} for the first
+certificate for the domain itself, secondly @code{issuer.pem} for the
+intermediate certificate and @code{root.pem} for the final root
+certificate.
-@anchor{ocsptool exit status}
-@subsubheading ocsptool exit status
+The domain certificate normally contains a pointer to where the OCSP
+responder is located, in the Authority Information Access Information
+extension. For example, from @code{certtool -i < cert.pem} there is
+this information:
-One of the following exit values will be returned:
-@table @samp
-@item 0
-Successful program execution.
-@item 1
-The operation failed or the command syntax was not valid.
-@end table
+@example
+Authority Information Access Information (not critical):
+Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
+Access Location URI: http://ocsp.CAcert.org/
+@end example
+This means the CA support OCSP queries over HTTP. We are now ready to
+create a OCSP request for the certificate.
-@anchor{ocsptool See Also}
-@subsubheading ocsptool See Also
+@example
+$ ocsptool --ask ocsp.CAcert.org --load-issuer issuer.pem \
+ --load-cert cert.pem --outfile ocsp-response.der
+@end example
+The request is sent via HTTP to the OCSP server address specified. If the
+address is ommited ocsptool will use the address stored in the certificate.
-@anchor{ocsptool Examples}
-@subsubheading ocsptool Examples
View Lorry Controller Status