This post is continuation of 2 previous ones. It demonstrates how to send Online Certificate Status Protocal (OCSP) request to CA server about certificate revocation status using openssl terminal commands. The procedure consists of the same steps as it was presented in c++ and c# codes: find OCSP URL, get server certificate and certificate chain, send OCSP request. So step by step using revoked-rsa-dv.ssl.com server as example, openssl version 1.1.1k FIPS 25 Mar 2021 (CentOS 8):
Get OCSP URL:
# openssl s_client -connect revoked-rsa-dv.ssl.com:443 2>&1 < /dev/null | openssl x509 -noout -ocsp_uri http://ocsps.ssl.com |
Retrieve server certificate and save it as sslrevoked.pem file:
# openssl s_client -connect revoked-rsa-dv.ssl.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > sslrevoked.pem |
Get certificate chain and save it into chainall.pem file
# openssl s_client -showcerts -connect revoked-rsa-dv.ssl.com:443 2>&1 < /dev/null > chainall.pem |
Remove server certificate from chainall.pem and save result into chain.pen file:
# grep -n END chainall.pem 47:—–END CERTIFICATE—– 86:—–END CERTIFICATE—– # sed '1,47d' chainall.pem > chain.pem |
Send OCSP request and get response without “Respinse Extension”:
# openssl ocsp -verify_other chain.pem -issuer chain.pem -cert sslrevoked.pem -text -url http://ocsps.ssl.com -header "Host=ocsps.ssl.com" | sed '/Response Extensions/,$d' Response verify OK OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: D49294BE2B4A19852331FE698267BE94A9D8D4C5 Issuer Key Hash: 26147EE0DCD7A6F7E2D40427DF61F1C2ECE732CA Serial Number: 6AAEFB5046E7425ACE83E2FA1E145105 Request Extensions: OCSP Nonce: 0410681467678232EE0D8CD1F51D181D4809 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 92CB66915B966E93B17F2E3A3956D5483D4CC064 Produced At: Apr 4 16:18:04 2023 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: D49294BE2B4A19852331FE698267BE94A9D8D4C5 Issuer Key Hash: 26147EE0DCD7A6F7E2D40427DF61F1C2ECE732CA Serial Number: 6AAEFB5046E7425ACE83E2FA1E145105 Cert Status: revoked Revocation Time: Aug 23 10:23:34 2022 GMT This Update: Apr 4 16:18:04 2023 GMT Next Update: Apr 11 16:18:03 2023 GMT |