KB Article #182964

How can I send an OCSP request to my Repeater or Responder to make sure that it is working correctly?

Question

A Responder or Repeater was configured completely, and a final test should be run to make sure that it is working as expected.

Answer

There are several ways to send an OCSP request to a Responder or Repeater.

1) Use the option “Generate Queries” in the admin UI

2) Use the vatest tool

Go to the command line, navigate to the tools directory inside of the VA installation directory and call the command vatest:

- ocsp: send OCSP request

- URL of VA server: server URL as configured on the page Server Settings -> Server URLs

- serial number: serial number of certificate to validate

- CA Certificate: certificate of CA which issued certificate to validate (can be exported from UI)

- OCSP signing certificate: OCSP certificate of VA server (is written to the local directory when you call vatest.exe getconf -url )

-print: print result

vatest ocsp -url http://10.129.62.93:80 -checkserialnum 0x02B7A3 CACertificate.cer -servercerts ocspcerts.pem -print

3) Use openssl

The command openssl is also available in the tools directory inside of the VA installation directory. The parameters are similar to the ones used in the vatest command.

-no_nonce: optional, useful when Repeater should get answer from the OCSP response database

-issuer: certificate of the CA which issued the certificate to check

-cert: certificate to check

-serial: serial number of certificate to check

-VAfile: OCSP signing certificate of VA server

-text: output as text

-url: URL of VA Server

openssl ocsp -issuer CA-cert-base64.crt -serial 12 -text -VAfile ocspcerts.pem -url http://10.129.128.97:80

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.

General Information

This article is flagged

Published: 31 October 2023 Last Modified: 31 October 2023

Categories

Affected Products