Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

You can test the configuration and setup of Nexus OCSP Responder by using the bundled OCSP client. It is named ocsp_client.bat on Windows and ocsp_client on the available Linux distributions. The OCSP client is located in the /bin directory relative to the installation root.

The basic usage of the bundled OCSP client is as follows:

ocsp_client -verbose -url <url> -certstore <trust-store> -nonce
-servicelocator <url> -authcert <certificate> -authpin <pin>
-pkcs11lib <lib> -provider <provider> -signalg <algorithm>
-signcert <certificate> -signpin <pin> -[no]chain <serial-nr> ...

Table...

Options and ArgumentsDescription
-authcert <certificate>

The certificate to use for TLS client authentication. Replace <certificate> with either the filename of the PKCS12 encoded token or unique part of subject DN of certificates in PKCS11 key store. See also -pkcs11lib.

-authpin <pin>Replace <pin> with the pin to use for accessing the key associated with the certificate.
-certstore <trust-store>Replace <trust-store> with the name of a file containing root CAs and subordinate CAs.
-signcert <certificate>The certificate to use for signing the OCSP request. Replace <certificate> with either the filename of PKCS12 encoded token or unique part of subject DN of certificates in PKCS11 key store. See also -pkcs11lib.
-signpin <pin>Replace <pin> with the pin to use for accessing the key associated with the certificate.
-chainUse this option to add a certificate chain to the signed OCSP request. Only the signature certificate will be used in the signed OCSP request by default.
-nochainUse this option to not add the signature certificate or chain to the signed OCSP request.
-nonceUse this option to add a random nonce to the request.
-pkcs11lib <lib>Replace <lib> with the name of a PKCS11 library. Must be specified to use authentication or signature certificate in a PKCS11 key store.
-provider <provider>Replace <provider> with the provider name or class name of a JCE provider to perform the signature.
-servicelocator <url>Replace <url> with the location of an alternate OCSP responder that the responder we query can redirect the request to.
-signalg <algorithm>Replace <algorithm> with the name of the signature algorithm to use.
-url <url>Replace <url> with the location of the OCSP responder to send a request to.
-verboseUse this option to print out debug data and more information about the response.
<serial-nr>Either a file containing the certificate one wants to query the status of or a certificate serial number and issuer name specified as: <number>:<issuer DN or part of>. The number can be specified either as decimal or as hexadecimal, prefixed with 0x.

Examples

Example 1: single, unsigned, non-nonced request
ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store example1.crt
Example 2: single, unsigned, non-nonced request
ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store "0x42f3d19e9fe13f98b8c7b98f10bf6c2d:cn=Issuing CA,c=SE"
Example 3: unsigned nonced multirequest over client-authenticated TLS
ocsp_client -verbose -url https://ocsphost:81/ -certstore trust.store -nonce -authcert "Ocsp Test Auth" -authpin 1234 -pkcs11lib pkcs11_library.dll example1.crt example2.crt
Example 4: signed, non-nonced request about a root certificate
ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store -signcert "Ocsp Test Sign" -signpin 1234 -pkcs11lib pkcs11_library.dll root-cert.crt

Related information

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions