How to do OCSP requests using OpenSSL and CURL


It pretty easy, the OpenSSL and CURL manuals make it fairly easy but I thought I would put it all here in a single post for you.

First in these examples I used the certificates from the site, I saved the www certificate to globalsignssl.crt and its issuer to globalsignssl.crt.

Next you will find a series of commands used to generate both POSTs and GETs for OCSP:

1. Create a OCSP request to work with, this also will produce a POST to the OCSP responder

openssl ocsp -noverify -no_nonce -respout ocspglobalsignca.resp -reqout ocspglobalsignca.req -issuer globalsigng2.cer -cert -url "" -header "HOST" "" -text

2. Base64 encode the DER encoded OCSP request

openssl enc -in ocspglobalsignca.req -out ocspglobalsignca.req.b64 -a

3. URL Encode the Base64 blob after removing any line breaks (see: for a decoder)

4. Copy the Base64 into the URL you will use in your GET{URL encoded Base64 Here}

5. Do your GET:

curl --verbose --url


If you like you can also re-play the request that was generated with OpenSSL as a POST:

curl --verbose --data-binary  @ocspglobalsignca.req -H "Content-Type:application/ocsp-request" --url

10 thoughts on “How to do OCSP requests using OpenSSL and CURL

  1. Pingback: Measuring OCSP Responder Performance with Powershell

  2. Peter Hesse

    Thanks, this is helpful. I’m running into a problem where this works through a reverse proxy into our environment, but both OpenSSL and certutil -url fail. Ideas on how the above style of request is different than typical?

    1. rmhrisk Post author

      Peter, if I understand correctly your environment uses a SOCKS proxy to gain access to the network where the OCSP server is located and since neither OpenSSL or certutil support that natively you are asking how to run a test in such an environment? If so you probably need to use something like

      1. Peter Hesse

        Actually – turned out it was simply a matter of the reverse proxy needing the host header to be present in order to forward it on to the right host and therefore getting a proper response.

        Adding the following to the curl line
        –header ‘Host:
        solved my problem.

        Thanks for the pointer to proxytunnel though.

  3. Pingback: 常见工具 - PKI.WIKI

Leave a Reply

Your email address will not be published. Required fields are marked *