How to do OCSP requests using OpenSSL and CURL


It pretty easy, the OpenSSL and CURL manuals make it fairly easy but I thought I would put it all here in a single post for you.

First in these examples I used the certificates from the site, I saved the www certificate to globalsignssl.crt and its issuer to globalsignssl.crt.

Next you will find a series of commands used to generate both POSTs and GETs for OCSP:

1. Create a OCSP request to work with, this also will produce a POST to the OCSP responder

openssl ocsp -noverify -no_nonce -respout ocspglobalsignca.resp -reqout ocspglobalsignca.req -issuer globalsigng2.cer -cert -url "" -header "HOST" "" -text

2. Base64 encode the DER encoded OCSP request

openssl enc -in ocspglobalsignca.req -out ocspglobalsignca.req.b64 -a

3. URL Encode the Base64 blob after removing any line breaks (see: for a decoder)

4. Copy the Base64 into the URL you will use in your GET{URL encoded Base64 Here}

5. Do your GET:

curl --verbose --url


If you like you can also re-play the request that was generated with OpenSSL as a POST:

curl --verbose --data-binary  @ocspglobalsignca.req -H "Content-Type:application/ocsp-request" --url

2 thoughts on “How to do OCSP requests using OpenSSL and CURL

  1. Pingback: Measuring OCSP Responder Performance with Powershell

Leave a Reply

Your email address will not be published. Required fields are marked *