OCSP information is encoded inside " Authority Information Access" field. Open de certificate with some tool, for example, windows default program, and look for its value. You can also use openssl:
# openssl x509 -in PF_ACTIVO_EIDAS.cer -text -noout | grep OCSP OCSP - URI:http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder # openssl x509 -in PF_ACTIVO_EIDAS.cer -ocsp_uri -noout http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder
Note that the certificate must be in PEM format.
In order to call the OCSP service you need the certificate serial number (the one you want to check) and the CA chain, as described in a previous post:
# openssl x509 -in PF_ACTIVO_EIDAS.cer -serial -noout serial=0902999F8486CAA55821C9A36BFAA499 # openssl ocsp -issuer AC_FNMT_Usuarios.pem -serial 0x0902999F8486CAA55821C9A36BFAA499 -url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -CAfile AC_Raiz_FNMT-RCM_SHA256.pem Response verify OK 0x0902999F8486CAA55821C9A36BFAA499: good This Update: Aug 15 17:04:27 2019 GMT Next Update: Aug 15 18:04:27 2019 GMT
Another important subject with OCSP is that when you ask for a certificate, often, the response is signed by the provider. If you need to determine wich certificate it is, for example, in order to store it in a truststore, you can add the "-resp_text" flag:
# openssl ocsp -resp_text -issuer AC_FNMT_Usuarios.pem -serial 0x0902999F8486CAA55821C9A36BFAA499 -url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -CAfile AC_Raiz_FNMT-RCM_SHA256.pem OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = ES, O = FNMT-RCM, OU = Ceres, CN = Servidor OCSP AC FNMT Usuarios Produced At: Aug 15 17:08:28 2019 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: ACB3EDC1572E4DA000C62307BEBBC1953AA27423 Issuer Key Hash: B1D44FC42379FA440509C6EB39CFE835B0B82064 Serial Number: 0902999F8486CAA55821C9A36BFAA499 Cert Status: good This Update: Aug 15 17:08:28 2019 GMT Next Update: Aug 15 18:08:28 2019 GMT Response Extensions: OCSP Nonce: 04109B882F00D026E282BE6D2194DFC96845 Signature Algorithm: sha256WithRSAEncryption 14:87:45:a1:ad:37:14:7e:d4:3b:7f:bf:7d:6a:cc:2e:5f:01: 81:2a:fc:20:96:b4:b7:27:01:64:6d:fd:ab:09:a8:26:49:b1: 15:16:86:c9:7c:c1:3c:79:d8:d7:a2:55:10:be:2d:a5:b9:ba: f8:db:19:7f:9c:8a:ba:44:3e:ec:5d:9a:62:8e:85:1b:6b:7e: e9:b9:e0:ce:b2:45:0b:fa:9c:ad:bd:5e:5e:14:0c:ae:15:89: 68:83:77:92:a7:80:b2:7f:37:94:cc:98:26:73:c8:53:86:4f: 6a:45:5a:70:0f:30:ce:83:66:72:2c:ae:0f:06:93:17:15:1d: 9f:1f:14:53:ae:a9:32:cb:7f:14:5f:4d:e9:29:fc:6d:f0:a2: f2:c1:fb:e4:1b:b9:ea:6e:5f:2d:0b:9b:e5:5f:6b:58:c8:5a: 09:43:f6:27:91:db:da:56:c1:dc:48:aa:4a:86:a5:28:5f:94: 65:f9:36:fe:d1:b3:0c:be:66:ad:5f:3b:26:38:25:a4:67:ff: 1e:4c:b3:5d:88:46:c0:5a:2b:67:42:47:4e:d8:67:0e:2d:2c: 45:c2:43:f4:33:4e:ca:bc:df:ff:a9:e0:79:b0:d3:6f:90:c7: 8b:29:6f:14:52:d9:5a:82:c4:b3:a6:31:9b:12:96:33:dd:41: c2:51:9d:92 Certificate: Data: Version: 3 (0x2) Serial Number: 01:f0:a3:e9:d7:e3:93:01:5c:d2:91:e3:26:66:bc:43 Signature Algorithm: sha256WithRSAEncryption Issuer: C=ES, O=FNMT-RCM, OU=Ceres, CN=AC FNMT Usuarios Validity Not Before: May 8 08:22:59 2019 GMT Not After : Nov 8 09:22:59 2019 GMT Subject: C=ES, O=FNMT-RCM, OU=Ceres, CN=Servidor OCSP AC FNMT Usuarios Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d7:49:d2:98:b6:41:60:3d:28:1b:06:ce:f9:10: 53:b6:7b:ff:01:29:43:fc:64:58:22:7b:90:7b:79: 07:f5:41:db:e7:ec:3e:27:88:5c:c0:d1:7e:8f:3c: c8:68:c6:8e:33:b4:78:3d:9d:65:30:ec:77:a9:6f: 65:ca:c9:62:78:3e:36:d6:1b:eb:cb:da:33:c8:35: 94:02:03:60:53:75:df:34:37:42:65:c7:9d:d8:bf: b8:a3:18:5a:ea:17:9d:18:e6:80:0e:6e:5f:27:32: 04:93:6c:05:d2:db:ee:aa:dc:98:3f:af:39:ec:aa: f9:eb:39:13:c5:7e:9b:cd:7e:d6:21:82:72:22:46: d5:e1:9d:30:f1:fc:c2:02:3b:32:a5:f8:87:4f:e1: a1:8a:3c:08:7f:e1:e3:84:17:29:2a:d2:7d:f8:82: 9b:88:13:38:d1:c1:a8:fd:71:e8:59:d4:e5:6f:9d: 97:a8:ef:fa:d3:b7:20:4f:3d:e1:55:19:62:96:1e: 94:53:80:18:42:08:6e:24:9c:e6:fd:6e:9e:08:34: f9:fa:75:1d:34:dc:55:89:2e:bf:55:52:9c:ce:0e: 8e:bb:2f:9b:91:c5:91:84:cb:06:74:8e:41:54:2a: b3:7e:dc:ee:05:1a:cf:07:8d:62:8f:d7:43:5a:0c: ad:eb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Extended Key Usage: critical OCSP Signing X509v3 Subject Key Identifier: BB:6F:79:C3:04:25:98:D6:62:C7:CD:71:25:AF:C9:61:B0:12:3A:8B X509v3 Authority Key Identifier: keyid:B1:D4:4F:C4:23:79:FA:44:05:09:C6:EB:39:CF:E8:35:B0:B8:20:64 OCSP No Check: Authority Information Access: CA Issuers - URI:http://www.cert.fnmt.es/certs/ACUSU.crt X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.5734.3.10.15 CPS: http://www.cert.fnmt.es/dpcs/ User Notice: Explicit Text: Sujeto a las condiciones de uso expuestas en la DPC de la FNMT-RCM (C/Jorge Juan 106-28009-Madrid-España) X509v3 CRL Distribution Points: Full Name: URI:ldap://ldapusu.cert.fnmt.es/cn=CRL2503,cn=AC%20FNMT%20Usuarios,ou=CERES,o=FNMT-RCM,c=ES?certificateRevocationList;binary?base?objectclass=cRLDistributionPoint Signature Algorithm: sha256WithRSAEncryption 2f:32:00:b2:e7:42:86:81:9b:87:c8:7c:fe:ff:99:d9:9c:fe: 31:a1:92:db:2c:cf:6b:38:bd:d2:c4:0d:2d:fb:1e:35:ef:87: 9f:30:ab:c0:45:3c:ea:e2:e2:67:b4:f2:90:f7:a3:cb:ed:17: 38:17:c7:06:8e:b9:50:d0:4e:66:c4:89:cf:cb:3a:d8:ac:a3: 85:18:ba:e4:75:54:66:f3:4c:3c:99:3f:cd:6d:6e:a0:18:c9: 25:35:cb:4f:1c:42:a8:14:35:61:37:04:c8:e4:41:2f:4f:6a: cf:2a:78:7d:a6:2d:00:03:a7:36:c7:1e:cd:98:cc:b2:db:a8: 82:25:a8:b2:7c:9c:53:54:48:84:f8:36:17:ac:f9:9e:ba:5e: 18:18:d7:35:ea:a5:4f:68:30:d2:04:fc:fb:ca:95:c8:0b:86: 6e:16:68:b7:b6:f5:6a:b1:8e:0e:b3:bf:ef:95:65:2a:ef:5e: 2c:67:f0:80:e0:c3:dd:95:e3:dc:89:46:00:74:73:33:df:77: c9:b5:e1:42:0c:fa:76:a2:19:06:d4:73:e5:9e:43:d2:79:b5: 10:da:d1:3d:e1:64:08:05:ad:04:b0:bd:3e:69:67:88:0f:93: 66:c5:ab:9f:f2:87:6a:76:bf:ad:30:96:8a:8d:af:c2:2e:00: 93:52:8c:4e -----BEGIN CERTIFICATE----- MIIFejCCBGKgAwIBAgIQAfCj6dfjkwFc0pHjJma8QzANBgkqhkiG9w0BAQsFADBL MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVz MRkwFwYDVQQDDBBBQyBGTk1UIFVzdWFyaW9zMB4XDTE5MDUwODA4MjI1OVoXDTE5 MTEwODA5MjI1OVowWTELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4w DAYDVQQLDAVDZXJlczEnMCUGA1UEAwweU2Vydmlkb3IgT0NTUCBBQyBGTk1UIFVz dWFyaW9zMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA10nSmLZBYD0o GwbO+RBTtnv/ASlD/GRYInuQe3kH9UHb5+w+J4hcwNF+jzzIaMaOM7R4PZ1lMOx3 qW9lyslieD421hvry9ozyDWUAgNgU3XfNDdCZced2L+4oxha6hedGOaADm5fJzIE k2wF0tvuqtyYP6857Kr56zkTxX6bzX7WIYJyIkbV4Z0w8fzCAjsypfiHT+GhijwI f+HjhBcpKtJ9+IKbiBM40cGo/XHoWdTlb52XqO/607cgTz3hVRlilh6UU4AYQghu JJzm/W6eCDT5+nUdNNxViS6/VVKczg6Ouy+bkcWRhMsGdI5BVCqzftzuBRrPB41i j9dDWgyt6wIDAQABo4ICSjCCAkYwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBsAw FgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwHQYDVR0OBBYEFLtvecMEJZjWYsfNcSWv yWGwEjqLMB8GA1UdIwQYMBaAFLHUT8QjefpEBQnG6znP6DWwuCBkMA8GCSsGAQUF BzABBQQCBQAwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzAChidodHRwOi8vd3d3 LmNlcnQuZm5tdC5lcy9jZXJ0cy9BQ1VTVS5jcnQwgcIGA1UdIASBujCBtzCBtAYK KwYBBAGsZgMKDzCBpTApBggrBgEFBQcCARYdaHR0cDovL3d3dy5jZXJ0LmZubXQu ZXMvZHBjcy8weAYIKwYBBQUHAgIwbAxqU3VqZXRvIGEgbGFzIGNvbmRpY2lvbmVz IGRlIHVzbyBleHB1ZXN0YXMgZW4gbGEgRFBDIGRlIGxhIEZOTVQtUkNNIChDL0pv cmdlIEp1YW4gMTA2LTI4MDA5LU1hZHJpZC1Fc3Bhw7FhKTCBtQYDVR0fBIGtMIGq MIGnoIGkoIGhhoGebGRhcDovL2xkYXB1c3UuY2VydC5mbm10LmVzL2NuPUNSTDI1 MDMsY249QUMlMjBGTk1UJTIwVXN1YXJpb3Msb3U9Q0VSRVMsbz1GTk1ULVJDTSxj PUVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5P2Jhc2U/b2JqZWN0 Y2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwDQYJKoZIhvcNAQELBQADggEBAC8y ALLnQoaBm4fIfP7/mdmc/jGhktssz2s4vdLEDS37HjXvh58wq8BFPOri4me08pD3 o8vtFzgXxwaOuVDQTmbEic/LOtiso4UYuuR1VGbzTDyZP81tbqAYySU1y08cQqgU NWE3BMjkQS9Pas8qeH2mLQADpzbHHs2YzLLbqIIlqLJ8nFNUSIT4Nhes+Z66XhgY 1zXqpU9oMNIE/PvKlcgLhm4WaLe29Wqxjg6zv++VZSrvXixn8IDgw92V49yJRgB0 czPfd8m14UIM+naiGQbUc+WeQ9J5tRDa0T3hZAgFrQSwvT5pZ4gPk2bFq5/yh2p2 v60wloqNr8IuAJNSjE4= -----END CERTIFICATE----- Certificate: (...) Response verify OK 0x0902999F8486CAA55821C9A36BFAA499: good This Update: Aug 15 17:08:28 2019 GMT Next Update: Aug 15 18:08:28 2019 GMT
The first certificate in the response is the OCSP server signer certificate. You can save it in a .CER file. In this example you can see that the subject is "C=ES, O=FNMT-RCM, OU=Ceres, CN=Servidor OCSP AC FNMT Usuarios"
Another example of validation, but this time you send the whole certificate.
openssl ocsp -issuer CHAMBERS_OF_COMMERCE_ROOT-2016.cer -cert AC_CAMERFIRMA_FOR_NATURAL_PERSONS-2016.cer -text -url http://ocsp.camerfirma.com -CAfile CHAMBERS_OF_COMMERCE_ROOT-2016.cer