Skip to main content
Skip table of contents

Request status for Nexus OCSP Responder

You can test the configuration and setup of Nexus OCSP Responder by using the bundled OCSP client. It is named ocsp_client.bat on Windows and ocsp_client on the available Linux distributions. The OCSP client is located in the /bin directory relative to the installation root.

The basic usage of the bundled OCSP client is as follows:

CODE
ocsp_client -verbose -url <url> -certstore <trust-store> -nonce
-servicelocator <url> -authcert <certificate> -authpin <pin>
-pkcs11lib <lib> -provider <provider> -signalg <algorithm>
-signcert <certificate> -signpin <pin> -[no]chain <serial-nr> ...

Options and Arguments

Description

-authcert <certificate>

The certificate to use for TLS client authentication. Replace <certificate> with either the filename of the PKCS12 encoded token or unique part of subject DN of certificates in PKCS11 key store. See also -pkcs11lib.

-authpin <pin>

Replace <pin> with the pin to use for accessing the key associated with the certificate.

-certstore <trust-store>

Replace <trust-store> with the name of a file containing root CAs and subordinate CAs.

-signcert <certificate>

The certificate to use for signing the OCSP request. Replace <certificate> with either the filename of PKCS12 encoded token or unique part of subject DN of certificates in PKCS11 key store. See also -pkcs11lib.

-signpin <pin>

Replace <pin> with the pin to use for accessing the key associated with the certificate.

-chain

Use this option to add a certificate chain to the signed OCSP request. Only the signature certificate will be used in the signed OCSP request by default.

-nochain

Use this option to not add the signature certificate or chain to the signed OCSP request.

-nonce

Use this option to add a random nonce to the request.

-pkcs11lib <lib>

Replace <lib> with the name of a PKCS11 library. Must be specified to use authentication or signature certificate in a PKCS11 key store.

-provider <provider>

Replace <provider> with the provider name or class name of a JCE provider to perform the signature.

-servicelocator <url>

Replace <url> with the location of an alternate OCSP responder that the responder we query can redirect the request to.

-signalg <algorithm>

Replace <algorithm> with the name of the signature algorithm to use.

-url <url>

Replace <url> with the location of the OCSP responder to send a request to.

-verbose

Use this option to print out debug data and more information about the response.

<serial-nr>

Either a file containing the certificate one wants to query the status of or a certificate serial number and issuer name specified as: <number>:<issuer DN or part of>. The number can be specified either as decimal or as hexadecimal, prefixed with 0x.

Examples

Example 1: single, unsigned, non-nonced request

CODE
ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store example1.crt

Example 2: single, unsigned, non-nonced request

CODE
ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store "0x42f3d19e9fe13f98b8c7b98f10bf6c2d:cn=Issuing CA,c=SE"

Example 3: unsigned nonced multirequest over client-authenticated TLS

CODE
ocsp_client -verbose -url https://ocsphost:81/ -certstore trust.store -nonce -authcert "Ocsp Test Auth" -authpin 1234 -pkcs11lib pkcs11_library.dll example1.crt example2.crt

Example 4: signed, non-nonced request about a root certificate

CODE
ocsp_client -verbose -url http://ocsphost:81/ -certstore trust.store -signcert "Ocsp Test Sign" -signpin 1234 -pkcs11lib pkcs11_library.dll root-cert.crt

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.