OCSP request using openssl command in Linux terminal

By | April 4, 2023

This post is continuation of 2 previous ones. It demonstrates how to send Online Certificate Status Protocal (OCSP) request to CA server about certificate revocation status using openssl terminal commands. The procedure consists of the same steps as it was presented in c++ and c# codes: find OCSP URL, get server certificate and certificate chain, send OCSP request. So step by step using revoked-rsa-dv.ssl.com server as example, openssl version 1.1.1k FIPS 25 Mar 2021 (CentOS 8):

Get OCSP URL:


# openssl s_client -connect revoked-rsa-dv.ssl.com:443 2>&1 < /dev/null | openssl x509 -noout -ocsp_uri
http://ocsps.ssl.com

Retrieve server certificate and save it as sslrevoked.pem file:


# openssl s_client -connect revoked-rsa-dv.ssl.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > sslrevoked.pem

Get certificate chain and save it into chainall.pem file


# openssl s_client -showcerts -connect revoked-rsa-dv.ssl.com:443 2>&1 < /dev/null > chainall.pem

Remove server certificate from chainall.pem and save result into chain.pen file:


# grep -n END chainall.pem
47:—–END CERTIFICATE—–
86:—–END CERTIFICATE—–
# sed '1,47d' chainall.pem > chain.pem

Send OCSP request and get response without “Respinse Extension”:


# openssl ocsp -verify_other chain.pem -issuer chain.pem -cert sslrevoked.pem -text -url http://ocsps.ssl.com -header "Host=ocsps.ssl.com" | sed '/Response Extensions/,$d'
Response verify OK
OCSP Request Data:
  Version: 1 (0x0)
  Requestor List:
   Certificate ID:
    Hash Algorithm: sha1
    Issuer Name Hash: D49294BE2B4A19852331FE698267BE94A9D8D4C5
    Issuer Key Hash: 26147EE0DCD7A6F7E2D40427DF61F1C2ECE732CA
    Serial Number: 6AAEFB5046E7425ACE83E2FA1E145105
  Request Extensions:
   OCSP Nonce:
    0410681467678232EE0D8CD1F51D181D4809
OCSP Response Data:
  OCSP Response Status: successful (0x0)
  Response Type: Basic OCSP Response
  Version: 1 (0x0)
  Responder Id: 92CB66915B966E93B17F2E3A3956D5483D4CC064
  Produced At: Apr 4 16:18:04 2023 GMT
  Responses:
  Certificate ID:
   Hash Algorithm: sha1
   Issuer Name Hash: D49294BE2B4A19852331FE698267BE94A9D8D4C5
   Issuer Key Hash: 26147EE0DCD7A6F7E2D40427DF61F1C2ECE732CA
   Serial Number: 6AAEFB5046E7425ACE83E2FA1E145105
  Cert Status: revoked
  Revocation Time: Aug 23 10:23:34 2022 GMT
  This Update: Apr 4 16:18:04 2023 GMT
  Next Update: Apr 11 16:18:03 2023 GMT

Leave a Reply

Your email address will not be published. Required fields are marked *