A Responder or Repeater was configured completely, and a final test should be run to make sure that it is working as expected.
There are several ways to send an OCSP request to a Responder or Repeater.
1) Use the option “Generate Queries” in the admin UI
2) Use the vatest tool
Go to the command line, navigate to the tools directory inside of the VA installation directory and call the command vatest:
- ocsp: send OCSP request
- URL of VA server: server URL as configured on the page Server Settings -> Server URLs
- serial number: serial number of certificate to validate
- CA Certificate: certificate of CA which issued certificate to validate (can be exported from UI)
- OCSP signing certificate: OCSP certificate of VA server (is written to the local directory when you call vatest.exe getconf -url )
-print: print result
vatest ocsp -url http://10.129.62.93:80 -checkserialnum 0x02B7A3 CACertificate.cer -servercerts ocspcerts.pem -print
3) Use openssl
The command openssl is also available in the tools directory inside of the VA installation directory. The parameters are similar to the ones used in the vatest command.
-no_nonce: optional, useful when Repeater should get answer from the OCSP response database
-issuer: certificate of the CA which issued the certificate to check
-cert: certificate to check
-serial: serial number of certificate to check
-VAfile: OCSP signing certificate of VA server
-text: output as text
-url: URL of VA Server
openssl ocsp -issuer CA-cert-base64.crt -serial 12 -text -VAfile ocspcerts.pem -url http://10.129.128.97:80
If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.
This article is flagged
Published: 31 October 2023 Last Modified: 31 October 2023