diff --git a/apps/ocsp.c b/apps/ocsp.c index d2e3109630424be9843a825cd49fe7303ee3b7dc..73b407c986ab8cc1d5206fc503ecba8e0f4ca012 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -521,7 +521,7 @@ int ocsp_main(int argc, char **argv) goto end; } - if (rsignfile && !rdb) { + if (rsignfile) { if (!rkeyfile) rkeyfile = rsignfile; rsigner = load_cert(rsignfile, FORMAT_PEM, diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 1ecd92887b236ae4640259fdf55a63cf0b65fe19..be195bcb308fda2b0ad0a9c66f59d420f161ada3 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -139,7 +139,7 @@ Additional certificates to include in the signed request. =item B<-nonce>, B<-no_nonce> Add an OCSP nonce extension to a request or disable OCSP nonce addition. -Normally if an OCSP request is input using the B option no +Normally if an OCSP request is input using the B option no nonce is added: using the B option will force addition of a nonce. If an OCSP request is being created (using B and B options) a nonce is automatically added specifying B overrides this. @@ -166,7 +166,8 @@ specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. if the B option is present then the OCSP request is sent to the host B on port B. B specifies the HTTP path name to use -or "/" by default. +or "/" by default. This is equivalent to specifying B<-url> with scheme +http:// and the given hostname, port, and pathname. =item B<-header name=value> @@ -296,7 +297,7 @@ information. If the B option is specified the B utility is in responder mode, otherwise it is in client mode. The request(s) the responder processes can be either specified on the command line (using B and B options), supplied in a file (using the -B option) or via external OCSP clients (if B or B is specified). +B option) or via external OCSP clients (if B or B is specified). If the B option is present then the B and B options must also be present. @@ -401,7 +402,7 @@ format of revocation is also inefficient for large quantities of revocation data. It is possible to run the B application in responder mode via a CGI -script using the B and B options. +script using the B and B options. =head1 EXAMPLES @@ -410,14 +411,14 @@ Create an OCSP request and write it to a file: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the -response to a file and print it out in text form +response to a file, print it out in text form, and verify the response: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ -url http://ocsp.myhost.com/ -resp_text -respout resp.der Read in an OCSP response and print out text form: - openssl ocsp -respin resp.der -text + openssl ocsp -respin resp.der -text -noverify OCSP server on port 8888 using a standard B configuration, and a separate responder certificate. All requests and responses are printed to a file. @@ -430,13 +431,13 @@ As above but exit after processing one request: openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -nrequest 1 -Query status information using internally generated request: +Query status information using an internally generated request: openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1 -Query status information using request read from a file, write response to a -second file. +Query status information using request read from a file, and write the response +to a second file. openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der