Oct 7, 2016 · 2 min read [ PKI openssl security ocsp ]
If the certificate is used to sign trojan virus or the private key is leaked for reissue, the certification authority (CA) will revoke the original certificate, and the client will check whether the certificate is revoked when verifying the validity of the certificate. In the early stage, revocation detection was mainly carried out through CRL (certificate revocation list), and the update cycle is generally in days. Now, faster detection is mainly carried out through OCSP (Online Certificate Status Protocol). TLS also supports OCSP stacking extension to accelerate SSL handshake.
So how do we manually detect whether a certificate is revoked?
This can be achieved using the OpenSSL OCSP command.
Prerequisites
First of all, you should have OpenSSL
Mac OSX: brew install openssl
Windows: https://slproweb.com/products/Win32OpenSSL.html
Certificate to detect
Issuer certificate of the certificate to be detected
OCSP server address
Operation steps
Through OpenSSL s_ client -connect yryz. Net: 443 - showcerts can obtain the SSL certificate chain, where you can get the certificate.
Through OpenSSL x509 - in test CRT - noout - text find the authority information access: section to get the download address and OCSP address of the issuer's certificate
OCSP - URI: http://trustasia2-ocsp.digitalcertvalidation.com
CA Issuers - URI: http://trustasia2-aia.digitalcertvalidation.com/trustasiag5.crt
In addition, through OpenSSL x509 - in test crt -noout -ocsp_ Uri can get the OCSP server address directly http://trustasia2-ocsp.digitalcertvalidation.com
Get revocation status OpenSSL OCSP - issuer trustasiag5 crt -cert test. crt -url http://trustasia2-ocsp.digitalcertvalidation.com -Text (add - text here to get more trusted output information)
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 14EADF81301FC36D0F1A23C4FA0CFBF84304EC85
Issuer Key Hash: 6D58C77F1AE7E13F2EA68C973542BBF4D338AC3F
Serial Number: 05749024F4CD19C49B86EBBE3D7999B9
Request Extensions:
OCSP Nonce:
041071459DF548EDAC8877549DF0191E3558
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C9F321F9DB35CD36F525F3D0AF9528EF49A03910
Produced At: Oct 4 22:51:23 2016 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 14EADF81301FC36D0F1A23C4FA0CFBF84304EC85
Issuer Key Hash: 6D58C77F1AE7E13F2EA68C973542BBF4D338AC3F
Serial Number: 05749024F4CD19C49B86EBBE3D7999B9
Cert Status: good
This Update: Oct 4 22:51:23 2016 GMT
Next Update: Oct 11 22:51:23 2016 GMT
Signature Algorithm: sha256WithRSAEncryption
17:89:c4:11:20:9e:43:ab:42:3a:fc:a6:f5:87:f8:3f:2d:f7:
f9:71:d1:f8:6e:27:5d:bb:a8:c5:ac:88:fe:f6:2f:8a:4a:bd:
46:ca:9d:09:50:46:46:9d:eb:2d:f7:06:c3:a0:06:db:8d:e1:
e8:36:4d:a9:50:d2:47:23:3e:f4:9a:29:83:c9:77:91:d3:37:
39:e6:53:13:56:5e:f4:07:4d:82:b9:45:5b:e6:5d:69:40:f6:
dd:16:fe:48:08:91:da:f7:e4:58:b9:c7:d2:03:1b:c9:38:59:
f4:09:15:2f:c7:09:b3:61:06:78:a3:f2:9a:2d:a6:6f:82:39:
9e:13:c6:91:98:29:06:9b:d0:ef:78:00:93:9c:03:f8:8b:de:
c3:03:aa:31:80:52:b0:22:05:3d:d3:f2:e0:72:82:71:8b:29:
bc:ba:e5:54:e4:e1:20:5d:61:1a:56:a2:d1:02:94:af:60:26:
49:1c:a8:59:4b:cf:d9:14:0d:f6:d1:99:bb:60:24:37:73:d8:
12:b8:65:59:6c:0b:31:1c:28:27:5f:3f:92:8f:e1:c2:ee:3b:
5b:be:72:93:09:bd:1a:cb:12:5e:40:31:36:9a:b3:27:03:bc:
86:c0:07:5f:57:62:42:2a:f7:e7:66:79:11:81:88:39:74:d4:
58:36:eb:71
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
60:3d:4a:3c:3b:08:28:d2:70:b0:05:4d:63:53:d6:55
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=TrustAsia Technologies, Inc., OU=Symantec Trust Network, OU=Domain Validated SSL, CN=TrustAsia DV SSL CA - G5
Validity
Not Before: Aug 11 00:00:00 2016 GMT
Not After : Dec 10 23:59:59 2016 GMT
Subject: CN=TrustAsia DV SSL CA - G5 OCSP Responder
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:7a:2b:a2:0f:7f:57:88:92:63:c5:01:97:65:
39:19:9a:12:bc:fb:7a:a9:73:a2:2a:70:9d:a0:6a:
05:7d:3e:91:1c:62:aa:5a:56:f4:29:33:6c:b0:8a:
47:5e:50:88:9e:93:93:4c:bf:a7:54:12:3e:0b:d2:
d5:c5:05:9f:98:f9:58:d8:72:9a:78:e2:dd:0b:05:
8b:aa:49:f7:cd:ea:b2:8a:d1:6c:f6:eb:ea:80:18:
74:7a:88:7c:00:4b:3b:d3:a8:5d:88:c9:7e:e0:54:
af:75:12:eb:dd:80:21:0e:b2:68:f7:5b:df:38:0d:
18:e9:b7:8a:49:a9:32:9e:59:6b:eb:1c:09:50:99:
2b:86:5f:5c:68:db:8d:44:a5:9e:1b:93:eb:8d:e0:
b3:e5:7f:4e:c1:a8:28:e6:aa:ae:c9:35:a1:7e:9a:
1d:8c:bd:8e:de:64:67:c5:60:f9:b6:8b:4a:f4:e9:
df:4f:c8:8e:bc:70:08:92:31:f0:00:e2:8e:05:fc:
0b:49:5e:8c:84:2c:0f:d8:fa:b2:79:71:e1:af:66:
21:89:eb:13:6a:b4:a3:30:4f:4e:dd:fc:ae:90:b6:
9b:97:39:90:f5:c7:23:a6:af:19:1e:61:33:b8:b3:
f7:ee:d7:97:1b:ac:73:d8:f2:89:82:7a:8a:fa:ab:
9b:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage: critical
Digital Signature
OCSP No Check:
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Subject Alternative Name:
DirName:/CN=TGV-C-282
X509v3 Subject Key Identifier:
C9:F3:21:F9:DB:35:CD:36:F5:25:F3:D0:AF:95:28:EF:49:A0:39:10
X509v3 Authority Key Identifier:
keyid:6D:58:C7:7F:1A:E7:E1:3F:2E:A6:8C:97:35:42:BB:F4:D3:38:AC:3F
Signature Algorithm: sha256WithRSAEncryption
8d:b8:61:a7:df:ca:fd:df:dc:7a:48:e8:38:96:82:83:14:c6:
11:77:31:66:bb:d4:10:8f:72:6e:ce:93:c0:8f:ed:99:cf:d4:
52:84:2f:30:73:17:97:95:65:4e:1d:02:1b:5e:d3:38:fa:42:
50:f1:b2:c1:8a:3f:e6:2d:87:57:dc:f0:3d:3b:28:c5:fd:84:
93:a7:65:21:f2:1b:20:9d:9e:0b:2c:82:59:5f:16:eb:c8:7c:
7b:36:12:ef:bb:df:0a:9e:09:81:a4:e2:42:d7:7e:8a:ef:f5:
8f:00:df:7f:1a:02:9f:86:19:fb:b1:69:5a:75:b1:66:a5:49:
b5:ff:fe:44:46:5d:df:3f:71:b1:e7:e2:10:ba:08:be:d0:3c:
15:80:35:19:62:e3:f5:6a:18:a7:dd:ce:ae:be:ab:6e:4f:4a:
a7:68:9a:68:bc:c7:23:55:9d:aa:3e:24:ab:25:f0:51:b5:ae:
7e:3d:ca:de:5c:82:89:77:79:82:a1:89:0a:89:b9:c2:bf:aa:
0f:cd:48:84:bd:24:ff:21:04:74:f3:2b:17:a1:52:13:91:58:
ae:1a:4b:94:ef:22:65:2c:cb:3e:fb:b7:2c:cb:64:a0:44:41:
d5:90:01:c5:79:5c:24:fc:2a:23:f1:21:cb:e4:82:60:30:be:
a5:f7:bf:f0
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgIQYD1KPDsIKNJwsAVNY1PWVTANBgkqhkiG9w0BAQsFADCB
lzELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
IEluYy4xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHTAbBgNVBAsT
FERvbWFpbiBWYWxpZGF0ZWQgU1NMMSEwHwYDVQQDExhUcnVzdEFzaWEgRFYgU1NM
IENBIC0gRzUwHhcNMTYwODExMDAwMDAwWhcNMTYxMjEwMjM1OTU5WjAyMTAwLgYD
VQQDEydUcnVzdEFzaWEgRFYgU1NMIENBIC0gRzUgT0NTUCBSZXNwb25kZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGeiuiD39XiJJjxQGXZTkZmhK8
+3qpc6IqcJ2gagV9PpEcYqpaVvQpM2ywikdeUIiek5NMv6dUEj4L0tXFBZ+Y+VjY
cpp44t0LBYuqSffN6rKK0Wz26+qAGHR6iHwASzvTqF2IyX7gVK91EuvdgCEOsmj3
W984DRjpt4pJqTKeWWvrHAlQmSuGX1xo241EpZ4bk+uN4LPlf07BqCjmqq7JNaF+
mh2MvY7eZGfFYPm2i0r06d9PyI68cAiSMfAA4o4F/AtJXoyELA/Y+rJ5ceGvZiGJ
6xNqtKMwT07d/K6QtpuXOZD1xyOmrxkeYTO4s/fu15cbrHPY8omCeor6q5sJAgMB
AAGjggETMIIBDzAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA4G
A1UdDwEB/wQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMGYGA1UdIARfMF0wWwYLYIZI
AYb4RQEHFwMwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMw
JQYIKwYBBQUHAgIwGRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwIQYDVR0RBBow
GKQWMBQxEjAQBgNVBAMTCVRHVi1DLTI4MjAdBgNVHQ4EFgQUyfMh+ds1zTb1JfPQ
r5Uo70mgORAwHwYDVR0jBBgwFoAUbVjHfxrn4T8upoyXNUK79NM4rD8wDQYJKoZI
hvcNAQELBQADggEBAI24Yaffyv3f3HpI6DiWgoMUxhF3MWa71BCPcm7Ok8CP7ZnP
1FKELzBzF5eVZU4dAhte0zj6QlDxssGKP+Yth1fc8D07KMX9hJOnZSHyGyCdngss
gllfFuvIfHs2Eu+73wqeCYGk4kLXforv9Y8A338aAp+GGfuxaVp1sWalSbX//kRG
Xd8/cbHn4hC6CL7QPBWANRli4/VqGKfdzq6+q25PSqdommi8xyNVnao+JKsl8FG1
rn49yt5cgol3eYKhiQqJucK/qg/NSIS9JP8hBHTzKxehUhORWK4aS5TvImUsyz77
tyzLZKBEQdWQAcV5XCT8KiPxIcvkgmAwvqX3v/A=
-----END CERTIFICATE-----
WARNING: no nonce in response
Response Verify Failure
140735222653008:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
test.crt: good
This Update: Oct 4 22:51:23 2016 GMT
Next Update: Oct 11 22:51:23 2016 GMT