OpenSSL:OCSP
X.509 v3 証明書拡張を書くセクションに以下のように authorityInfoAccess キーとOCSP とその URI を書くと OCSP の情報が書き込まれる。
code:openssl.cnf
openssl には OCSP レスポンダの機能があるので、これをサーバーとして起動すればよい。
code:console
$ openssl ocsp -help
Valid options are:
-help Display this summary
-out outfile Output filename
-timeout +int Connection timeout (in seconds) to the OCSP responder
-url val Responder URL
-host val TCP/IP hostname:port to connect to
-port +int Port to run responder on
-ignore_err Ignore error on OCSP request or response and continue running
-noverify Don't verify response at all
-nonce Add OCSP nonce to request
-no_nonce Don't add OCSP nonce to request
-resp_no_certs Don't include any certificates in response
-resp_key_id Identify response by signing certificate key ID
-multi +int run multiple responder processes
-no_certs Don't include any certificates in signed request
-no_signature_verify Don't check signature on response
-no_cert_verify Don't check signing certificate
-no_chain Don't chain verify response
-no_cert_checks Don't do additional checks on signing certificate
-no_explicit Do not explicitly check the chain, just verify the root
-trust_other Don't verify additional certificates
-no_intern Don't search certificates contained in response for signer
-badsig Corrupt last byte of loaded OSCP response signature (for test)
-text Print text form of request and response
-req_text Print text form of request
-resp_text Print text form of response
-reqin val File with the DER-encoded request
-respin val File with the DER-encoded response
-signer infile Certificate to sign OCSP request with
-VAfile infile Validator certificates file
-sign_other infile Additional certificates to include in signed request
-verify_other infile Additional certificates to search for signer
-CAfile infile Trusted certificates file
-CApath infile Trusted certificates directory
-no-CAfile Do not load the default certificates file
-no-CApath Do not load certificates from the default certificates directory
-validity_period ulong Maximum validity discrepancy in seconds
-status_age +int Maximum status age in seconds
-signkey val Private key to sign OCSP request with
-reqout val Output file for the DER-encoded request
-respout val Output file for the DER-encoded response
-path val Path to use in OCSP request
-issuer infile Issuer certificate
-cert infile Certificate to check
-serial val Serial number to check
-index infile Certificate status index file
-CA infile CA certificate
-nmin +int Number of minutes before next update
-nrequest +int Number of requests to accept (default unlimited)
-ndays +int Number of days before next update
-rsigner infile Responder certificate to sign responses with
-rkey infile Responder key to sign responses with
-rother infile Other certificates to include in response
-rmd val Digest Algorithm to use in signature of OCSP response
-rsigopt val OCSP response signature parameter in n:v form
-header val key=value header to add
-* Any supported digest algorithm (sha1,sha256, ... )
-policy val adds policy to the acceptable policy set
-purpose val certificate chain purpose
-verify_name val verification policy name
-verify_depth int chain depth limit
-auth_level int chain authentication security level
-attime intmax verification epoch time
-verify_hostname val expected peer hostname
-verify_email val expected peer email
-verify_ip val expected peer IP address
-ignore_critical permit unhandled critical extensions
-issuer_checks (deprecated)
-crl_check check leaf certificate revocation
-crl_check_all check full chain revocation
-policy_check perform rfc5280 policy checks
-explicit_policy set policy variable require-explicit-policy
-inhibit_any set policy variable inhibit-any-policy
-inhibit_map set policy variable inhibit-policy-mapping
-x509_strict disable certificate compatibility work-arounds
-extended_crl enable extended CRL features
-use_deltas use delta CRLs
-policy_print print policy processing diagnostics
-check_ss_sig check root CA self-signatures
-trusted_first search trust store first (default)
-suiteB_128_only Suite B 128-bit-only mode
-suiteB_128 Suite B 128-bit mode allowing 192-bit algorithms
-suiteB_192 Suite B 192-bit-only mode
-partial_chain accept chains anchored by intermediate trust-store CAs
-no_alt_chains (deprecated)
-no_check_time ignore certificate validity time
-allow_proxy_certs allow the use of proxy certificates
参考
「OpenSSL」 authorityInfoAccess に OCSP サーバ ( OCSP レスポンダ ) の情報を持つ証明書を作成する
関連