Next: , Previous: Dirmngr CHECKCRL, Up: Dirmngr Protocol


3.6.4 Validate a certificate using OCSP

       CHECKOCSP [--force-default-responder] [fingerprint]

Check whether the certificate with fingerprint (the SHA-1 hash of the entire X.509 certificate blob) is valid by consulting the appropriate OCSP responder. If the fingerprint has not been given or the certificate is not known by Dirmngr, the function inquires the certificate using:

       S: INQUIRE TARGETCERT
       C: D <DER encoded certificate>
       C: END

Thus the caller is expected to return the certificate for the request (which should match fingerprint) as a binary blob. Processing then takes place without further interaction; in particular dirmngr tries to locate other required certificates by its own mechanism which includes a local certificate store as well as a list of trusted root certificates.

If the option --force-default-responder is given, only the default OCSP responder is used. This option is the per-command variant of the global option --ignore-ocsp-service-url.

The return code is 0 for success; i.e. the certificate has not been revoked or one of the usual error codes from libgpg-error.