pki --ocsp
Synopsis
pki --ocsp [--in file] [--cacert file]+ pki --ocsp --respond [--in file] [--lifetime minutes] [--cacert file [--index file]]+ [--key file|--keyid hex]+ [--cert file|--certid hex]+ [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512] [--rsa-padding pkcs1|pss] pki --ocsp --help
Description
This pki
subcommand parses an Online Certificate Status Protocol
(OCSP) request as defined by RFC 6960 and with the --respond
option
generates an OCSP response based on the OCSP request. The certificate status for
this may be provided by plugins, so if not using the --index
option, this requires
the openxpki
and mysql
plugins in order to
directly access the certificate database of an OpenXPKI server.
Supported since version 5.9.12, --keyid
and --certid
options since version 5.9.14.
Options
|
|
Prints usage information and a short summary of the available options |
|
|
Set debug level, default: |
|
|
Read command line options from file |
|
|
OCSP request. If not given, the OCSP request is read from |
|
|
CA certificate corresponding to one of the issuer hashes contained in the OCSP request. If the OCSP request is signed, a CA certificate forming the trust chain. Can be used multiple times |
|
|
OCSP signer key. Can be used multiple times |
|
|
Smartcard or TPM 2.0 OCSP signer key object handle. Can be used multiple times |
|
|
OCSP signer certificate (if it is not a CA certificate). Can be used multiple$ times |
|
|
Smartcard or TPM 2.0 OCSP signer certificate object handle. Can be used multiple times |
|
|
OpenSSL-style |
|
|
Digest to use for signature creation. The default is determined based on the type and size of the OCSP signing key. |
|
|
Padding to use for RSA signatures. Either |
|
|
Validity in minutes of the OCSP response (if missing, |
index.txt Description
Each line in an index.txt
file consists of six columns that are separated by
tab characters:
-
The first column denotes the certificate status, which can be either
V
(for valid),E
(for expired, treated like valid), orR
(for revoked). -
The second column contains the certificate’s expiration date and time in UTC in the format
YYMMDDHHMMSSZ
. This field is ignored by the command but must not be empty. -
The third column is the revocation date and time in UTC in the format
YYMMDDHHMMSSZ
and an optional revocation reason that immediately follows it, separated by a comma. Valid reasons arekeyCompromise
,CACompromise
,affiliationChanged
,superseded
,cessationOfOperation
,certificateHold
, andremoveFromCRL
, any other value or omitting a reason results inunspecified
. -
The fourth column contains the certificate’s serial number in hexadecimal encoding.
The 5. and 6. columns are both ignored by the command, so they may be
omitted completely. They can contain a path to the certificate (usually set to
unknown
) and the certificate’s subject DN with slashes separating the RDNs.
However, note that omitting these fields makes the file incompatible to OpenSSL.
V 310930122422Z 03 unknown /C=CH/O=strongSwan/CN=moon.strongswan.org (1) V 310930122422Z 04 unknown /C=CH/O=strongSwan/CN=sun.strongswan.org R 310930122422Z 231002122422Z,keyCompromise 88 (2) V Z 05 (3)
1 | Note that the fields are separated by tabs. So if a certificate is valid, two tabs follow after the expiration date. |
2 | This line only specifies the relevant first four columns |
3 | This line even uses a dummy expiration date as the command doesn’t care for the expiration date |
Examples
pki --ocsp --in req_ca.der nonce: 5b:14:e3:cc:d5:b2:65:ec:c4:0d:c3:11:37:6a:9d:71 issuerKeyHash: b6:76:79:95:b5:58:5f:85:1e:1f:c7:52:4a:fc:06:93:f3:39:79:19 (no match) issuerNameHash: af:25:78:ce:fc:15:4c:36:4d:26:2c:98:d4:c5:67:95:81:31:a3:4d (no match) serialNumber: 4f:33:21:1d:4d:fd:9b:db issuerKeyHash: b6:76:79:95:b5:58:5f:85:1e:1f:c7:52:4a:fc:06:93:f3:39:79:19 (no match) issuerNameHash: af:25:78:ce:fc:15:4c:36:4d:26:2c:98:d4:c5:67:95:81:31:a3:4d (no match) serialNumber: 68:f2:93:10:65:d0:5e:d1
pki --ocsp --in req_ca.der --cacert cacert.pem nonce: 5b:14:e3:cc:d5:b2:65:ec:c4:0d:c3:11:37:6a:9d:71 issuer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA" issuerKeyHash: b6:76:79:95:b5:58:5f:85:1e:1f:c7:52:4a:fc:06:93:f3:39:79:19 (ok) issuerNameHash: af:25:78:ce:fc:15:4c:36:4d:26:2c:98:d4:c5:67:95:81:31:a3:4d (ok) serialNumber: 4f:33:21:1d:4d:fd:9b:db issuer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA" issuerKeyHash: b6:76:79:95:b5:58:5f:85:1e:1f:c7:52:4a:fc:06:93:f3:39:79:19 (ok) issuerNameHash: af:25:78:ce:fc:15:4c:36:4d:26:2c:98:d4:c5:67:95:81:31:a3:4d (ok) serialNumber: 68:f2:93:10:65:d0:5e:d1
pki --ocsp --respond --in req_ca.der --cacert cacert.pem --key cakey.pem \ --lifetime 10 > rsp_ca.der nonce: 5b:14:e3:cc:d5:b2:65:ec:c4:0d:c3:11:37:6a:9d:71 issuer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA" issuerKeyHash: b6:76:79:95:b5:58:5f:85:1e:1f:c7:52:4a:fc:06:93:f3:39:79:19 (ok) issuerNameHash: af:25:78:ce:fc:15:4c:36:4d:26:2c:98:d4:c5:67:95:81:31:a3:4d (ok) serialNumber: 4f:33:21:1d:4d:fd:9b:db thisUpdate: Oct 19 15:54:15 UTC 2023 nextUpdate: Oct 19 16:04:15 UTC 2023 certValidation: GOOD issuer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA" issuerKeyHash: b6:76:79:95:b5:58:5f:85:1e:1f:c7:52:4a:fc:06:93:f3:39:79:19 (ok) issuerNameHash: af:25:78:ce:fc:15:4c:36:4d:26:2c:98:d4:c5:67:95:81:31:a3:4d (ok) serialNumber: 68:f2:93:10:65:d0:5e:d1 thisUpdate: Oct 19 15:54:15 UTC 2023 nextUpdate: Oct 19 16:04:15 UTC 2023 certValidation: GOOD trusted signer: "C=CH, O=strongSwan Project, CN=strongSwan Root CA" ocspResponseStatus: successful
pki --ocsp --respond --in req_signed.der --cacert cacert.pem --cacert issuer1.pem \ --key signerKey1.pem --cert signerCert1.pem --lifetime 10 > rsp_signed.der requestor: "C=CH, O=strongSwan Project, CN=vpn.strongswan.org" using certificate "C=CH, O=strongSwan Project, CN=vpn.strongswan.org" using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 1" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 1 requestor is trusted nonce: a8:0f:29:0f:08:9c:29:c1:0d:a8:cb:b0:21:fa:e1:f7 issuer: "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 1" issuerKeyHash: 5a:1b:ec:17:f0:6d:18:45:66:5b:62:40:64:67:a2:c8:e7:6a:84:20 (ok) issuerNameHash: df:1e:24:71:96:e6:bc:8c:06:46:90:18:a2:7d:b9:82:18:45:e7:09 (ok) serialNumber: 04:ff:cc:8d:36:91:cb:35:d7:c4 thisUpdate: Oct 19 16:30:54 UTC 2023 nextUpdate: Oct 19 16:40:54 UTC 2023 certValidation: REVOKED revocationTime: Mar 26 06:41:54 UTC 2023 revocationReason: superseded trusted signer: "C=CH, O=strongSwan Project, CN=OCSP signer of strongSwan Issuing CA 1" ocspResponseStatus: successful
pki --ocsp --respond --in req.der --cacert issuer1.pem --cacert issuer2.pem \ --key signerKey1.pem --cert signerCert1.pem \ --key signerKey2.pem --cert signerCert2.pem \ --lifetime 10 > rsp_trusted.der nonce: a1:33:aa:bc:96:60:69:76:f3:bc:9c:88:3b:07:50:47 issuer: "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 2" issuerKeyHash: 72:41:ca:f9:35:87:89:a0:fb:8c:d6:bb:7e:bb:d3:83:ab:d5:89:7b (ok) issuerNameHash: 5e:b2:b4:42:e1:a5:fb:1c:bc:d8:4e:35:10:72:b2:c3:9a:38:4f:cd (ok) serialNumber: 29:ff:36:d9:9a:21:49:61:91:1d thisUpdate: Oct 19 16:02:35 UTC 2023 nextUpdate: Oct 19 16:12:35 UTC 2023 certValidation: REVOKED revocationTime: Sep 22 13:13:04 UTC 2023 revocationReason: superseded issuer: "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 1" issuerKeyHash: 5a:1b:ec:17:f0:6d:18:45:66:5b:62:40:64:67:a2:c8:e7:6a:84:20 (ok) issuerNameHash: df:1e:24:71:96:e6:bc:8c:06:46:90:18:a2:7d:b9:82:18:45:e7:09 (ok) serialNumber: 10:ff:45:9a:6d:ee:4c:ec:7c:97 thisUpdate: Oct 19 16:02:35 UTC 2023 nextUpdate: Oct 19 16:12:35 UTC 2023 certValidation: FAILED there are multiple known issuers trusted signer: "C=CH, O=strongSwan Project, CN=OCSP signer of strongSwan Issuing CA 2" ocspResponseStatus: successful
In the above example, the issuer of the first request item determines the OCSP signer used to sign the OCSP response.
pki --ocsp --respond --in req.der --cacert issuer1.pem --cacert issuer2.pem \ --key signerKey.pem --cert signerCert.pem --lifetime 10 > rsp_self_signed.der nonce: a1:33:aa:bc:96:60:69:76:f3:bc:9c:88:3b:07:50:47 issuer: "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 2" issuerKeyHash: 72:41:ca:f9:35:87:89:a0:fb:8c:d6:bb:7e:bb:d3:83:ab:d5:89:7b (ok) issuerNameHash: 5e:b2:b4:42:e1:a5:fb:1c:bc:d8:4e:35:10:72:b2:c3:9a:38:4f:cd (ok) serialNumber: 29:ff:36:d9:9a:21:49:61:91:1d thisUpdate: Oct 19 16:13:23 UTC 2023 nextUpdate: Oct 19 16:23:23 UTC 2023 certValidation: REVOKED revocationTime: Sep 22 13:13:04 UTC 2023 revocationReason: superseded issuer: "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 1" issuerKeyHash: 5a:1b:ec:17:f0:6d:18:45:66:5b:62:40:64:67:a2:c8:e7:6a:84:20 (ok) issuerNameHash: df:1e:24:71:96:e6:bc:8c:06:46:90:18:a2:7d:b9:82:18:45:e7:09 (ok) serialNumber: 10:ff:45:9a:6d:ee:4c:ec:7c:97 thisUpdate: Oct 19 16:13:23 UTC 2023 nextUpdate: Oct 19 16:23:23 UTC 2023 certValidation: GOOD there are multiple known issuers self-signed signer: "C=CH, O=strongSwan Project, CN=strongSwan OCSP signer" ocspResponseStatus: successful
pki --ocsp --respond --in req1.der --cacert issuer1.pem --index index1.txt \ --cert signerCert1.pem --key signerKey1.pem \ --cacert issuer2.pem --index index2.txt \ --cert signerCert2.pem --key signerKey2.pem --lifetime 10 > rsp1.der loaded status of 4 certificates issued by 'C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 1' from index1.txt loaded status of 3 certificates issued by 'C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 2' from index2.txt nonce: af:f5:70:75:5d:b7:ff:c8:16:e3:87:94:59:8a:34:6e issuer: "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 1" issuerKeyHash: 5a:1b:ec:17:f0:6d:18:45:66:5b:62:40:64:67:a2:c8:e7:6a:84:20 (ok) issuerNameHash: df:1e:24:71:96:e6:bc:8c:06:46:90:18:a2:7d:b9:82:18:45:e7:09 (ok) serialNumber: 10:ff:45:9a:6d:ee:4c:ec:7c:97 thisUpdate: Oct 19 16:40:21 UTC 2023 nextUpdate: Oct 19 16:50:21 UTC 2023 certValidation: GOOD trusted signer: "C=CH, O=strongSwan Project, CN=OCSP signer of strongSwan Issuing CA 1" ocspResponseStatus: successful pki --ocsp --respond --in req2.der --cacert issuer1.pem --index index1.txt \ --cert signerCert1.pem --key signerKey1.pem \ --cacert issuer2.pem --index index2.txt \ --cert signerCert2.pem --key signerKey2.pem --lifetime 10 > rsp2.der loaded status of 4 certificates issued by 'C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 1' from index1.txt loaded status of 3 certificates issued by 'C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 2' from index2.txt nonce: bd:c6:ad:36:b9:88:ed:71:c5:01:67:86:e9:ae:fd:1f issuer: "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA 2" issuerKeyHash: 72:41:ca:f9:35:87:89:a0:fb:8c:d6:bb:7e:bb:d3:83:ab:d5:89:7b (ok) issuerNameHash: 5e:b2:b4:42:e1:a5:fb:1c:bc:d8:4e:35:10:72:b2:c3:9a:38:4f:cd (ok) serialNumber: 29:ff:36:d9:9a:21:49:61:91:1d thisUpdate: Oct 19 16:40:34 UTC 2023 nextUpdate: Oct 19 16:50:34 UTC 2023 certValidation: REVOKED revocationTime: Sep 22 13:13:04 UTC 2023 revocationReason: superseded trusted signer: "C=CH, O=strongSwan Project, CN=OCSP signer of strongSwan Issuing CA 2" ocspResponseStatus: successful