show ssl ocsp-response
Show the Online Certificate Status Protocol (OCSP) response for an SSL/TLS certificate.
The Online Certificate Status Protocol (OCSP) allows a client (browser) to see the revocation status of an SSL/TLS certificate in real time. A client contacts an OCSP Responder server to get the OCSP response, which contains the certificate's revocation status. The Responder server is often managed by the certificate issuer. OCSP stapling is a mechanism that allows you to fetch the revocation status ahead of time and attach it to the certificate, saving the client from needing to make that request to the OCSP Responder server.
The OCSP response contains a revocation status for the certificate of either good, revoked, or unknown.
show ssl ocsp-response command to display the IDs of the OCSP tree entries corresponding to all the OCSP responses used in HAProxy, as well as the issuer's name and key hash and the serial number of the certificate for which the OCSP response was built.
To display the contents of a specific OCSP response, provide the response ID as an argument. The information displayed is the same as in an
openssl ocsp -respin ocsp-response
To set the OCSP response, use the Runtime API command set ssl ocsp-response.
You can also display the OCSP response using
show ssl cert.
Show all OCSP tree entries.
$ echo "show ssl ocsp-response" | \ sudo socat stdio unix-connect:/var/run/hapee-2.8/hapee-lb.sock
# Certificate IDs Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a Certificate ID: Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A Serial Number: 100A
Show the details for the specified OCSP response.
$ echo "show ssl ocsp-response 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a0202100a" | \ sudo socat stdio unix-connect:/var/run/hapee-2.8/hapee-lb.sock
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = FR, O = HAProxy Technologies, CN = ocsp.haproxy.com Produced At: May 27 15:43:38 2021 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 8A83E0060FAFF709CA7E9B95522A2E81635FDA0A Issuer Key Hash: F652B0E435D5EA923851508F0ADBE92D85DE007A Serial Number: 100A Cert Status: good This Update: May 27 15:43:38 2021 GMT Next Update: Oct 12 15:43:38 2048 GMT [...]
Next upshow ssl providers