DOEGrids CA OCSP Service

DOEGrids CA OCSP Service

The OCSP Service URL is http://amethyst.es.net/ocsp.

For.Eg.
If you want to check the status of a certificate "usercert.pem" issued by 'issuercert.pem',
then following is the 'openssl' command you should use.
"openssl ocsp -url http://amethyst.es.net/ocsp -issuer issuercert.pem -cert usercert.pem -VAfile respondercert.pem"
respondercert.pem is OCSP Responders signing certificate. OCSP response from this server will be signed by this certificate.
You need to have this certificate in place, in order to verify the response you will be getting from the server.
Here is the response from the ocsp service:

Response verify OK
usercert.pem: good
        This Update: Nov 19 04:25:37 2005 GMT

You could add '-text' option to get more detailed ocsp response.
"openssl ocsp -url http://amethyst.es.net/ocsp -issuer issuercert.pem -cert usercert.pem -VAfile respondercert.pem -text"
Here is the response from the ocsp service:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: CF7E9698E0314D2006459B8573E5DB63755C0A75
          Issuer Key Hash: 25D055D15B3BFAADA2AAEB15CADA4DDFAE344CB7
          Serial Number: 13
    Request Extensions:
        OCSP Nonce:
            D25E1E6B000DBB6720538D93AA854343
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: DC = org, DC = DOEGrids, OU = Beta Level Service, CN = DOEGrids OCSP Responder
    Produced At: Oct  2 21:20:29 2006 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: CF7E9698E0314D2006459B8573E5DB63755C0A75
      Issuer Key Hash: 25D055D15B3BFAADA2AAEB15CADA4DDFAE344CB7
      Serial Number: 13
    Cert Status: good
    This Update: Nov 19 04:25:37 2005 GMT
...
...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 205 (0xcd)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=net, DC=ES, OU=Certificate Authorities, CN=ESnet SSL Server Certificates
        Validity
            Not Before: Oct  1 21:31:57 2007 GMT
            Not After : Sep 30 21:31:57 2008 GMT
        Subject: DC=org, DC=DOEGrids, OU=Beta Level Service, CN=DOEGrids OCSP Responder
...
...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 24 (0x18)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=net, DC=ES, O=ESnet, OU=Certificate Authorities, CN=ESnet Root CA 1
        Validity
            Not Before: Feb  3 08:00:00 2004 GMT
            Not After : Feb  3 08:00:00 2009 GMT
        Subject: DC=net, DC=ES, OU=Certificate Authorities, CN=ESnet SSL Server Certificates
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
...
...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=net, DC=ES, O=ESnet, OU=Certificate Authorities, CN=ESnet Root CA 1
        Validity
            Not Before: Oct  8 07:00:00 2002 GMT
            Not After : Oct  8 07:00:00 2012 GMT
        Subject: DC=net, DC=ES, O=ESnet, OU=Certificate Authorities, CN=ESnet Root CA 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
...
...
Response verify OK
usercert.pem: good
        This Update: Nov 19 04:25:37 2005 GMT