diff options
| -rw-r--r-- | apps/ocsp.c | 6 | ||||
| -rw-r--r-- | doc/apps/ocsp.pod | 37 |
2 files changed, 30 insertions, 13 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c index f05ec0e655..17e84366d9 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -524,7 +524,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-serial n serial number to check\n"); BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); - BIO_printf (bio_err, "-sign_certs file additional certificates to include in signed request\n"); + BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); BIO_printf (bio_err, "-req_text print text form of request\n"); BIO_printf (bio_err, "-resp_text print text form of response\n"); @@ -544,10 +544,10 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); BIO_printf (bio_err, "-noverify don't verify response at all\n"); - BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n"); + BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); - BIO_printf (bio_err, "-no_sig_verify don't check signature on response\n"); + BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n"); BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); BIO_printf (bio_err, "-no_chain don't chain verify response\n"); BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index da201b95e6..4f266058e5 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -11,6 +11,10 @@ B<openssl> B<ocsp> [B<-issuer file>] [B<-cert file>] [B<-serial n>] +[B<-signer file>] +[B<-signkey file>] +[B<-sign_other file>] +[B<-no_certs>] [B<-req_text>] [B<-resp_text>] [B<-text>] @@ -20,27 +24,36 @@ B<openssl> B<ocsp> [B<-respin file>] [B<-nonce>] [B<-no_nonce>] -[B<-url responder_url>] +[B<-url URL>] [B<-host host:n>] [B<-path>] -[B<-CApath file>] +[B<-CApath dir>] [B<-CAfile file>] [B<-VAfile file>] -[B<-verify_certs file>] +[B<-validity_period n>] +[B<-status_age n>] [B<-noverify>] +[B<-verify_other file>] [B<-trust_other>] [B<-no_intern>] -[B<-no_sig_verify>] +[B<-no_signature_verify>] [B<-no_cert_verify>] [B<-no_chain>] [B<-no_cert_checks>] -[B<-validity_period nsec>] -[B<-status_age nsec>] +[B<-port num>] +[B<-index file>] +[B<-CA file>] +[B<-rsigner file>] +[B<-rkey file>] +[B<-rother file>] +[B<-resp_no_certs>] +[B<-nmin n>] +[B<-ndays n>] +[B<-resp_key_id>] +[B<-nrequest n>] =head1 DESCRIPTION -B<WARNING: this documentation is preliminary and subject to change.> - The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate (RFC 2560). @@ -83,6 +96,10 @@ the B<signkey> option is not present then the private key is read from the same file as the certificate. If neither option is specified then the OCSP request is not signed. +=item B<-sign_other filename> + +Additional certificates to include in the signed request. + =item B<-nonce>, B<-no_nonce> Add an OCSP nonce extension to a request or disable OCSP nonce addition. @@ -120,7 +137,7 @@ or "/" by default. file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. -=item B<-verify_certs file> +=item B<-verify_other file> file containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer's @@ -151,7 +168,7 @@ ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified with either the B<-verify_certs> or B<-VAfile> options. -=item B<-no_sig_verify> +=item B<-no_signature_verify> don't check the signature on the OCSP response. Since this option tolerates invalid signatures on OCSP responses it will normally only be used for testing purposes. |