Monitor that uses openssl for OCSP

based on this article you can probably get it working. Hopefully that helps.

You may have to tweak this a bit to get exactly what you want, but based on the sample (Bash) monitor:

!/bin/sh

 these arguments supplied automatically for all external pingers:
 $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname)
 $2 = port (decimal, host byte order)
 $3 and higher = additional arguments

 $MONITOR_NAME = name of the monitor

 In this sample script, $3 is the regular expression


 Name of the pidfile
pidfile="/var/run/$MONITOR_NAME.$1..$2.pid"

 Send signal to the process group to kill our former self and any children
 as external monitors are run with SIGHUP blocked
if [ -f $pidfile ]
then
    kill -9 -`cat $pidfile` > /dev/null 2>&1
fi

echo "$$" > $pidfile

 Remove the IPv6/IPv4 compatibility prefix
node_ip=`echo $1 | sed 's/::ffff://'`

 Using the nc utility to get data from the server.
 Search the data received for the expected expression.
openssl ocsp -CAfile subca1.f5labs.com.cer -issuer subca1.f5labs.com.cer -serial 4 -noverify -url http://$node_ip:$2 |grep "4: good" > /dev/null

status=$?
if [ $status -eq 0 ]
then
     Remove the pidfile before the script echoes anything to stdout and is killed by bigd
    rm -f $pidfile
    echo "up"
fi

 Remove the pidfile before the script ends
rm -f $pidfile

Then just apply this is as a standard external monitor.

Thanks for both answers, I had essentially each component you have in the above script except I used a few more variables for the openssl command like this:

openssl ocsp -url http://$IP:$PORT -issuer $CERTFILE -no_cert_verify -resp_text -serial $SERIAL | grep $QUERYSTRING | cut -d " " -f2 > /dev/null

where $QUERYSTRING was "$SERIAL: " since I only want to test if the OSCP responder is processing requests, I don't really care if the response is "good" or "unknown" as long as it's a non error response. Both responses were helpful but I gave credit to Kevin since he spent more time on a full explanation.