Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Request status for Nexus OCSP Responder

Owned by Ann Base (Deactivated)
Last updated: Nov 04, 2024 by Ylva AnderssonVersion comment
2 min read

You can test the configuration and setup of Nexus OCSP Responder by using the bundled OCSP client. It is named ocsp_client.bat on Windows and ocsp_client on the available Linux distributions. The OCSP client is located in the /bin directory relative to the installation root.

The basic usage of the bundled OCSP client is as follows:

ocsp_client -verbose -url <url> -certstore <trust-store> -nonce -servicelocator <url> -authcert <certificate> -authpin <pin> -pkcs11lib <lib> -provider <provider> -signalg <algorithm> -signcert <certificate> -signpin <pin> -[no]chain <serial-nr> ...

Options and Arguments

Description

Options and Arguments

Description

-authcert <certificate>

The certificate to use for TLS client authentication. Replace <certificate> with either the filename of the PKCS12 encoded token or unique part of subject DN of certificates in PKCS11 key store. See also -pkcs11lib.

-authpin <pin>

Replace <pin> with the pin to use for accessing the key associated with the certificate.

-certstore <trust-store>

Replace <trust-store> with the name of a file containing root CAs and subordinate CAs.

-signcert <certificate>

The certificate to use for signing the OCSP request. Replace <certificate> with either the filename of PKCS12 encoded token or unique part of subject DN of certificates in PKCS11 key store. See also -pkcs11lib.

-signpin <pin>

Replace <pin> with the pin to use for accessing the key associated with the certificate.

-chain

Use this option to add a certificate chain to the signed OCSP request. Only the signature certificate will be used in the signed OCSP request by default.

-nochain

Use this option to not add the signature certificate or chain to the signed OCSP request.

-nonce

Use this option to add a random nonce to the request.

-pkcs11lib <lib>

Replace <lib> with the name of a PKCS11 library. Must be specified to use authentication or signature certificate in a PKCS11 key store.

-provider <provider>

Replace <provider> with the provider name or class name of a JCE provider to perform the signature.

-servicelocator <url>

Replace <url> with the location of an alternate OCSP responder that the responder we query can redirect the request to.

-signalg <algorithm>

Replace <algorithm> with the name of the signature algorithm to use.

-url <url>

Replace <url> with the location of the OCSP responder to send a request to.

-verbose

Use this option to print out debug data and more information about the response.

<serial-nr>

Either a file containing the certificate one wants to query the status of or a certificate serial number and issuer name specified as: <number>:<issuer DN or part of>. The number can be specified either as decimal or as hexadecimal, prefixed with 0x.

Examples

Example 1: single, unsigned, non-nonced request

ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store example1.crt

Example 2: single, unsigned, non-nonced request

ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store "0x42f3d19e9fe13f98b8c7b98f10bf6c2d:cn=Issuing CA,c=SE"

Example 3: unsigned nonced multirequest over client-authenticated TLS

Example 4: signed, non-nonced request about a root certificate

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions