locked
How can i verify that my OCSP server is working RRS feed

  • Question

  • Hey

    I have installed OCSP on win 2008 R2 , and i already have win 2008 R2 CertificateServices, and i have included the URL of OCSP on the AIA of issued certificates.Is there is any tool, or a way to test that the OCSP really is working and reporting the health of certificates ?


    ammarhasayen
    Tuesday, January 25, 2011 11:00 AM

Answers

  • there are no free tools for detailed testing. However certutil can perform basic OCSP tests:

    certutil -url path\file.cer

    in the opened dialog box switch radiobutton to OCSP and click Verify. This will return Verified if OCSP is working and certificate is ok. Also you can use 'certutil -verify -urlfetch' command to validate certificate and certificate chain. During this test certutil will check certificate revocation status through OCSP.

    Also consider to use OCSP Responder MMC snap-in.

    for detailed tests (with detailed info about request and response) you may have to purchase 3rd party software, such Ascertia OCSP Client Tool (price ~1500 euro).


    http://en-us.sysadmins.lv
    • Marked as answer by Joson Zhou Thursday, January 27, 2011 7:43 AM
    Tuesday, January 25, 2011 11:25 AM

All replies

  • there are no free tools for detailed testing. However certutil can perform basic OCSP tests:

    certutil -url path\file.cer

    in the opened dialog box switch radiobutton to OCSP and click Verify. This will return Verified if OCSP is working and certificate is ok. Also you can use 'certutil -verify -urlfetch' command to validate certificate and certificate chain. During this test certutil will check certificate revocation status through OCSP.

    Also consider to use OCSP Responder MMC snap-in.

    for detailed tests (with detailed info about request and response) you may have to purchase 3rd party software, such Ascertia OCSP Client Tool (price ~1500 euro).


    http://en-us.sysadmins.lv
    • Marked as answer by Joson Zhou Thursday, January 27, 2011 7:43 AM
    Tuesday, January 25, 2011 11:25 AM
  • You can also use OpenSSL for OCSP testing, though it is quite cumbersome (but it is free). Also Enterprise PKI (a.k.a. pkiview.msc) can be used for simple troubleshooting.

    Feel free to ask more questions if needed.

     

    Martin

    Wednesday, January 26, 2011 7:51 AM
  • Certificatetools.com makes OCSP checking with OpenSSL quick and simple. certificatetools.com > revocation> OCSP Checker. It provides the OpenSSL command and downloads for the certificate and chain so that it can be run locally if desired.
    Monday, June 3, 2019 3:04 PM
  •  I highly recommend the certificatetools.com site. It's really easy to use if you want to check a single certificate/site and it's free. It has a pretty intuitive user interface for online sites and it generates the openssl command for you if you need to run it locally because the site/certificate isn't exposed to the internet. You can even copy/paste the certificate into the site to generate the command. Pretty nice tool for this purpose.

    Wednesday, June 24, 2020 10:37 PM