1.\" $OpenBSD: ocspcheck.8,v 1.9 2017/11/29 21:15:45 jmc Exp $ 2.\" 3.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: November 29 2017 $ 18.Dt OCSPCHECK 8 19.Os 20.Sh NAME 21.Nm ocspcheck 22.Nd check a certificate for validity against its OCSP responder 23.Sh SYNOPSIS 24.Nm 25.Op Fl Nv 26.Op Fl C Ar CAfile 27.Op Fl i Ar staplefile 28.Op Fl o Ar staplefile 29.Ar file 30.Sh DESCRIPTION 31The 32.Nm 33utility validates a PEM format certificate against the OCSP responder 34encoded in the certificate specified by the 35.Ar file 36argument. 37Normally it should be used for checking server certificates 38and maintaining saved OCSP responses to be used for OCSP stapling. 39.Pp 40The options are as follows: 41.Bl -tag -width Ds 42.It Fl C Ar CAfile 43Specify a PEM format root certificate bundle to use for the validation of 44requests. 45By default no certificates are used beyond those in the 46certificate chain provided by the 47.Ar file 48argument. 49.It Fl i Ar staplefile 50Specify an input filename from which a DER-encoded OCSP response 51will be read instead of fetching it from the OCSP server. 52A filename 53of 54.Sq - 55will read the response from standard input. 56.It Fl N 57Do not use a nonce value in the OCSP request, or validate that the 58nonce was returned in the OCSP response. 59By default a nonce is always used and validated when retrieving 60a response from an OCSP server. 61The use of this flag is a security risk as it will allow OCSP 62responses to be replayed. 63It should not be used unless the OCSP server does not support the 64use of OCSP nonces. 65.It Fl o Ar staplefile 66Specify an output filename where the DER encoded response from the 67OCSP server will be written, if the OCSP response validates. 68A filename 69of 70.Sq - 71will write the response to standard output. 72By default the response is not saved. 73.It Fl v 74Increase verbosity. 75This flag may be specified multiple times to get more verbose output. 76The default behaviour is to be silent unless something goes wrong. 77.El 78.Sh EXIT STATUS 79The 80.Nm 81utility exits 0 if the OCSP response validates for the certificate in 82.Ar file 83and all output is successfully written out. 84.Nm 85exits >0 if an error occurs or the OCSP response fails to validate. 86.Sh SEE ALSO 87.Xr nc 1 , 88.Xr tls_config_set_ocsp_staple_file 3 , 89.Xr tls_config_set_ocsp_staple_mem 3 , 90.Xr httpd 8 91.Sh HISTORY 92The 93.Nm 94utility first appeared in 95.Ox 6.1 . 96.Sh AUTHORS 97.Nm 98was written by 99.An Bob Beck . 100.Sh CAVEATS 101While 102.Nm 103could possibly be used in scripts to query responders for server 104certificates seen on client connections, this is almost always a bad 105idea. 106God kills a kitten every time you make an OCSP query from the 107client side of a TLS connection. 108.Sh BUGS 109.Nm 110will create the output file if it does not exist. 111On failure a newly created output file will not be removed. 112