OCSP Information
Index Page
What is OCSP?
Market overview

public OCSP responder
PKI related links
requests with OpenSSL
OCSP in your browser
OCSP application test
About application test
Download Certificates
Responder details
CA details
OCSP responder services
OCSP status requests
supported CAs
rating criteria
Add CA or Responder
OCSP browser check
Feedback
Contact Us
OpenValidation partner
Become a partner
Imprint
supported Sevices
PKI4UNI
ValidationWorks

About application test


How to test client applications with OpenValidation.org

Developers can use the OpenValidation.org Responder Service to test the functionality of their OCSP-enabled client applications. OpenValidation.org provides certificates with known status and several virtual hosts to enable developers to test their OCSP clients extensively with a professional OCSP Responder.

To test an OCSP client application it is neccessary to download the OpenValidation RootCA certificate, OCSP Responder certificate and test certificates (with known status).

Configure your client application to send certificate staus requests to the OpenValidation.org OCSP Responder (http://ocsp.openvalidation.org). We provide several virtual hosts with different OCSP Responder configuration to allow testing with full range of possible responses.

Virtual Hosts at http://ocsp.openvalidation.org:

Port: 80 Standard configuration. OCSP Responder will accept all proper requests and send a signed response.
Port: 8080 Response does not contain any attached certificates. Client must accept this response
Port: 8081 Never replies nonce. Insecure but standard conform mode. Client application should warn in case of replay-attacks
Port: 8082 The OCSP Responder will sign the response with randomized bytecode. Client should NOT accept this response.
Port: 8083 OCSP response will always be revoked.
Port: 8084 OCSP response will always be unknown.
Port: 8085 OCSP response will always be malformed.
Port: 8086 OCSP response will always be internal error.
Port: 8087 OCSP response will always be try later.
Port: 8088 OCSP response will always be signature required.
Port: 8089 OCSP response will always be unauth.
Port: 8090 Standard configuration with full Debuglogs. Debuglogs are visible at http://www.openvalidation.org/debug.php

Here you can find detailed information about processing certificate status requests with openssl.

E.g. an openssl status request and the answer with a valid test certificate could look like this:

C:\WINNT\System32\cmd.exe


C:\>openssl ocsp -host ocsp.openvalidation.org:80 -issuer RootCAcert.pem -VAfile OCSPServer.pem -cert User.pem
Response verify OK
User.pem: good
This Update: Aug 17 10:12:03 2001 GMT
Next Update: Aug 16 10:12:03 2006 GM

 

Or e.g. an openssl status request and the answer with known serial number of a revoked test certificate could look like this:

C:\WINNT\System32\cmd.exe


C:\>openssl ocsp -host ocsp.openvalidation.org:8090 -issuer RootCAcert.pem -VAfile OCSPServer.pem -serial 03
Response verify OK
03: revoked
This Update: Aug 17 10:12:03 2001 GMT
Next Update: Aug 16 10:12:03 2006 GMT
Revocation Time: Aug 17 10:10:39 2001 GM

 

These openssl request will only work with the newest release of openssl.