先来一个实际例子吧:
d:>openssl ocsp -issuer issuer.cer -cert login.sina.com.cn.crt -url http://ocsp.verisign.com/
Response Verify Failure
2296:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:.\crypto\ocsp\ocsp_vfy.c:122:Verify error:unable to get local issuer cert
ificate
login.sina.com.cn.crt: good
This Update: Oct 20 14:03:40 2009 GMT
Next Update: Oct 27 14:03:40 2009 GMT
其中,
login.sina.com.cn.crt 是我们要验证的证书
issuer.cer 是颁发login.sina.com.cn.crt的ca的证书
要想看到更加详细的请求和相应的数据的具体内容,可添加 -text 选项,如下:
d:>openssl ocsp -issuer issuer.cer -cert login.sina.com.cn.crt -url http://ocsp.verisign.com/ -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C0FE0278FC99188891B3F212E9C7E1B21AB7BFC0
Issuer Key Hash: 0DFC1DF0A9E0F01CE7F2B213177E6F8D157CD4F6
Serial Number: 25E692D2645B52CD365386F2424FE9A0
Request Extensions:
OCSP Nonce:
041026AA90D62932AFDE2FFFF5682E3AEDA4
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign International Server OCSP Responder – Class 3, OU = Terms of use at
www.verisign.com/rpa (c)03
Produced At: Oct 20 14:03:40 2009 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C0FE0278FC99188891B3F212E9C7E1B21AB7BFC0
Issuer Key Hash: 0DFC1DF0A9E0F01CE7F2B213177E6F8D157CD4F6
Serial Number: 25E692D2645B52CD365386F2424FE9A0
Cert Status: good
This Update: Oct 20 14:03:40 2009 GMT
Next Update: Oct 27 14:03:40 2009 GMT
ocsp 的响应是做了ca的签名的,这样保证了响应的数据是可靠的。
相关文章:http://blog.chinaunix.net/u/12066/showart.php?id=491918