3

Does anybody know of a tool to test OCSP responses? Preferably, something that can be used from a Windows Command-line and/or can be included (easily) in a Java/python program

5 Answers5

4

Looking a bit more, I think I've found some answers:

a) OpenSSL at the rescue:

openssl ocsp -whatever

For more info, http://www.openssl.org/docs/apps/ocsp.html

b) http://www.openvalidation.org/ is another way of testing a cert. And via its links, I got to:

Thanks to all the answers!

JJarava
  • 552
  • 10
  • 18
  • 1
    `openssl ocsp -issuer ca_cert.pem -cert server_cert.pem -text -url http://ocsp.provider.com` is the full command. – Felix Seele Jul 29 '15 at 16:11
1

bouncycastle has a Java crypto-provider and support for OCSP requests and responses. The differences between OCSPReq and OCSPRequest and OCSPResp and OCSPResponse class are a little confusing, though.

1

Here is a good ressource to have a simple OCSP Client or OCSP Responder with OpenSSL : http://backreference.org/2010/05/09/ocsp-verification-with-openssl/

ohe
  • 3,461
  • 3
  • 26
  • 50
1

The newpki client claims to be able to do that. http://www.newpki.org/

Alexey Feldgendler
  • 1,792
  • 9
  • 17
  • Thanks a lot, Alexey. The newpki client seems to be a bit more complex than I look for, as it's a full PKI admin tool –  Sep 16 '08 at 15:46
0

Can you test it over HTTP as described in the specs in Appendix A? If so, then you can use any web test util. Since you mentioned Java, JMeter comes to mind. With JMeter, you can create your java code to do validation, etc and re-use it in your test cases.

Can you use something other than CMD line, such as a BASH script via Cygwin?

You'd still have to script some things to validate the test, perhaps using openssl?

curl http://some.ocsp.url/  > resp.der
openssl ocsp -respin resp.der -text

See page http://www.ietf.org/rfc/rfc2560.txt

DustinB
  • 11,037
  • 5
  • 46
  • 54