ocspd(1) [osx man page]
ocspd(1) BSD General Commands Manual ocspd(1) NAME
ocspd -- OCSP and CRL Daemon SYNOPSIS
ocspd DESCRIPTION
ocspd performs caching and network fetching of Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses. It is used by Security.framework during certificate verification. Security.framework communicates with ocspd via a private RPC interface. When Security.framework determines that a CRL is needed, or that it needs to perform an OCSP transaction, it performs an RPC to ocspd which then examines its cache to see if the appropriate CRL or OCSP response exists and is still valid. If so, that entity is returned to Secu- rity.framework. If no entry is found in cache, ocspd obtains it from the network, saving the result in cache before returning it to Secu- rity.framework. This command is not intended to be invoked directly. FILES
/private/var/db/crls/crlcache.db CRL cache /private/var/db/crls/ocspcache.db OCSP response cache HISTORY
ocspd was first introduced in Mac OS X version 10.4 (Tiger). AUTHORS
Doug Mitchell Darwin June 2, 2019 Darwin
Check Out this Related Man Page
CRLREFRESH(1) General Commands Manual CRLREFRESH(1) NAME
crlrefresh - update and maintain system-wide CRL cache SYNOPSIS
crlrefresh command [command-args] [options] crlrefresh r [options] crlrefresh f URL [options] crlrefresh F URI [options] CRLREFRESH COMMAND SUMMARY
r Refresh the entire CRL cache f Fetch a CRL from specified URL F Fetch a Certificate from specified URL DESCRIPTION
Crlrefresh is a UNIX command-line program which is used to refresh and update the contents of the system-wide cache of Certificate Revoca- tion Lists (CRLs). CRLs, which are optionally used as part of the procedure for verifying X.509 certificates, are typically fetched from the network using a URL which appears in (some) certificates. Caching CRLs is an optimization to avoid costs of network latency and/or unavailability. Each CRL has a finite validity time which is specified in the CRL itself. This validity time may be as short as one day, or it may be much longer. Crlrefresh examines the contents of the CRL cache and updates - via network fetch - all CRLs which are currently, or will soon be, invalid. Crlrefresh is also use to fetch specific CRLs and certificates from the network; CRLs fetched via crlrefresh will be added to the CRL cache as well as provided to the specified output file (or to stdout if no output file is provided). The URL specified in the f and F commands must have schema "http:" or "ldap:". Typically, crlrefresh would be run on a regular basis via one of the configu- ration files used by the cron(8) program. CRLREFRESH OPTION SUMMARY
s=stale_period Specify the time in days which, having elapsed after a CRL is expired, that the CRL is deleted fromt he CRL cache. The default is 10 days. o=expire_overlap Specify the time in seconds prior to a CRL's expiration when a refresh action will attempt to replace the CRL with a fresh copy. p Purge all entries from the CRL cache, ensuring refresh with fresh CRLs. Normally, CRLs whose expiration date is more than expire_overlap past the current time are not refreshed. f Perform full cryptographic verification of all CRLs in the CRL cache. Normally this step is only performed when a CRL is actually used to validate a certificate. k=keychain_name The full path to the CRL cache (which is always a keychain). The default is /var/db/crls/crlcache.db. v Provide verbose output during operation. F=output_file_name When fetching a CRL or certificate, specifies the destination to which the fetched entity will be written. If this is not specified then the fetched entity is sent to stdout. n When fetching a CRL, this inhibits the addition of the fetched CRL to the system CRL cache. v Execute in verbose mode. FILES
/var/db/crls/crlcache.db System CRL cache database SEE ALSO
cron(8) Apple Computer, Inc. April 13, 2004 CRLREFRESH(1)