Run the following openssl command to test the OCSP Responder service.
openssl ocsp -issuer <ca_cert> -serial <sn> -url <url> -VAfile <va_cert>For example:
$ openssl ocsp -issuer issuer.pem -serial 0x000000002439fa8f5fe6370bb20ccb2556da6991 -url http://10.1.141.37/eva -VAfile ./VAFile.pemResponse verify OK0x000000002439fa8f5fe6370bb20ccb2556da6991: good This Update: Nov 7 18:52:34 2022 GMT Next Update: Nov 8 02:41:13 2022 GMTSee below for a description of each command option.
The OCSP Responder service reboots when losing connection with the HSM. Run the evactl check all command to check the HSM connection and other settings.
-issuer <ca_cert>
Validate the status of a certificate issued by the <ca_cert> CA. Where <ca_cert> is the file path of the CA certificate.
-serial <sn>
Validate the status of the certificate with the <sn> serial number.
-url <url>
Connect to the <url> Entrust Validation Authority service. Where <url> is an URL in the following format.
http://<host>/evaWhere <host> is the IP address or hostname of the host running Entrust Validation Authority.
-VAfile <va_cert>
Validate the response with the <va_cert> certificate. Where <va_cert> is the file path of the certificate:
- Generated as explained in Generating a VA certificate and key pair.
- Assigned to the VA certificate configuration parameter.