HAProxy Enterprise Documentation 2.5r1

show ssl ocsp-response

Show the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.

Description

The Online Certificate Status Protocol (OCSP) allows a client (browser) to see the revocation status of an SSL/TLS certificate in real time. A client contacts an OCSP Responder server to get the OCSP response, which contains the certificate's revocation status. The Responder server is often managed by the certificate issuer. OCSP stapling is a mechanism that allows you to fetch the revocation status ahead of time and attach it to the certificate, saving the client from needing to make that request to the OCSP Responder server.

The OCSP response contains a revocation status for the certificate of either good, revoked, or unknown.

Use the show ssl ocsp-response command to display the IDs of the OCSP tree entries corresponding to all the OCSP responses used in HAProxy, as well as the issuer's name and key hash and the serial number of the certificate for which the OCSP response was built.

To display the contents of a specific OCSP response, provide the response ID as an argument. The information displayed is the same as in an openssl ocsp -respin ocsp-response -text call.

To set the OCSP response, use the Runtime API command set ssl ocsp-response.

You can also display the OCSP response using show ssl cert.

Examples

Show all OCSP tree entries.

$ echo "show ssl ocsp-response" | \
     sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock
# Certificate IDs
  Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a
    Certificate ID:

      Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
      Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
      Serial Number: 100A

Show the details for the specified OCSP response.

$ echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | \
     sudo socat stdio unix-connect:/var/run/hapee-2.5/hapee-lb.sock
OCSP Response Data:
  OCSP Response Status: successful (0x0)
  Response Type: Basic OCSP Response
  Version: 1 (0x0)
  Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com
  Produced At: May 27 15:43:38 2021 GMT
  Responses:
  Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A
    Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A
    Serial Number: 100A
  Cert Status: good
  This Update: May 27 15:43:38 2021 GMT
  Next Update: Oct 12 15:43:38 2048 GMT
  [...]

See also

Next up

show startup-logs