OpenValidation.org Logo
About this serviceOCSP/SCVP informationInterop testingValidation serviceContact, Feedback
HomeE-Mail Deutsche VersionEnglish version
 
» About application test

» requests with OpenSSL

» Debug logs

» Test Certificates

» New test CA

» Old test CA

» Responder information

» Architecture

» Features

» CA information

» OpenSSL Configuration

» Used scripts

» read more
Services offered here

Developers can use the OpenValidation.org Responder Service to test the functionality of their OCSP-enabled client applications. OpenValidation.org provides » certificates with known status and several virtual hosts to enable developers to test their OCSP clients extensively with a professional OCSP Responder.

To test an OCSP client application it is neccessary to download the OpenValidation » RootCA certificate, » OCSP Responder certificate and » test certificates (with known status).

Configure your client application to send certificate staus requests to the OpenValidation.org OCSP Responder (http://ocsp.openvalidation.org). We provide several virtual hosts with different OCSP Responder configuration to allow testing with full range of possible responses.

Virtual Hosts at http://ocsp.openvalidation.org:

Port: 80 Standard configuration. OCSP Responder will accept all proper requests and send a signed response.
Port: 8080 Response does not contain any attached certificates. Client must accept this response
Port: 8081 Never replies nonce. Insecure but standard conform mode. Client application should warn in case of replay-attacks
Port: 8082 The OCSP Responder will sign the response with randomized bytecode. Client should NOT accept this response.
Port: 8083 OCSP response will always be revoked.
Port: 8084 OCSP response will always be unknown.
Port: 8085 OCSP response will always be malformed.
Port: 8086 OCSP response will always be internal error.
Port: 8087 OCSP response will always be try later.
Port: 8088 OCSP response will always be signature required.
Port: 8089 OCSP response will always be unauth.
Port: 8090 Standard configuration with full Debuglogs. Access the logs at » http://www.openvalidation.org/en/test/logs.html
Port: 8091 Internal test responder. Configuration will change on demand. If you want to check a certain configuration, just contact us.

You want step-by-step instructions how to use OpenSSL to test this OCSP responder? » Here you can find detailed information about processing certificate status requests with openssl. 

E.g. an openssl status request and the answer with a valid test certificate could look like this:

C:\WINNT\System32\cmd.exe


C:\>openssl ocsp -host ocsp.openvalidation.org:80 -issuer RootCAcert.pem -VAfile OCSPServer.pem -cert User.pem
Response verify OK
User.pem: good
This Update: Aug 17 10:12:03 2001 GMT
Next Update: Aug 16 10:12:03 2006 GM

 

Or e.g. an openssl status request and the answer with known serial number of a revoked test certificate could look like this:

C:\WINNT\System32\cmd.exe


C:\>openssl ocsp -host ocsp.openvalidation.org:8090 -issuer RootCAcert.pem -VAfile OCSPServer.pem -serial 03
Response verify OK
03: revoked
This Update: Aug 17 10:12:03 2001 GMT
Next Update: Aug 16 10:12:03 2006 GMT
Revocation Time: Aug 17 10:10:39 2001 GM

 

These openssl request will only work with the newest release of » openssl. Most Linux versions include openssl in their distributions. You may find binary versions of OpenSSL for » Solaris here and » Windows here.

Remember: OpenSSL supports OCSP beginning with version 0.9.7 and later.