Use openssl to verify certificates
Certificates are essential for todays security needs. Sometimes it's required to revoke them, maybe because they are no longer needed or because they got even compromised. But how do you test manually if a certificate has been revoked?
openssl is probably your tool of choice when it comes to certificates. Besides querying certificates for data or from remote endpoints (using s_client) it's useful to verify certificates in regards of revocation.
In general two mechanisms are in place that provide certificate revocations
- CRL - certificate revocation lists
- OCSP - online certificate status protocol
CRL is more a static approach where you download a list that contains serial, date and reason of revocation. This is a simple approach and is not really fast when it comes to propagation time (except you run it with much too low lifetimes which results in massive overhead).
OCSP is more a realtime lookup which provides very fast propagation - but on the server side a reliable and accessible endpoint to reply to the requests.
Verify against CRL
To do this, you need to have the following components in place:
- CA certificate (public)
- CRL data
- Cert data (public)
Copy the CA certificate & CRL into a combined file by just appending it (like cat ca.pem crl.pem > ca_and_crl.pem). To run a verification just use this:
openssl verify -crl_check -CAfile /tmp/ca_and_crl.pem /tmp/cert1.pem
C = DE, O = Company, CN = host.domain.tld
error 23 at 0 depth lookup: certificate revoked
error /tmp/cert1.pem: verification failedAs you can see the certificate is revoked.
openssl verify -crl_check -CAfile /tmp/ca_and_crl.pem /tmp/valid_cert.pem /tmp/valid_cert.pem: OKIf the certificate is not revoked, it's just telling you also.
Verify using OCSP
Depending on your environment you have an OCSP resolver in place, so here's the way how to do the lookup in this case.
The requirement here is:
- Certificate CA chain (from the tested certificate) in a file. Be aware that order needs to be in order of validation (intermediate to root).
- Cert data (public) to be verified
The command to do the lookup:
openssl ocsp -issuer /tmp/cert_chain.pem -cert /tmp/cert1.pem -url http://ocsp-host.domain.tld/ocsp/
Response verify OK
/tmp/cert1.pem: revoked
This Update: Aug 25 14:16:00 2022 GMT
Next Update: Aug 26 14:17:00 2022 GMT
Reason: unspecified
Revocation Time: Jun 25 12:43:48 2022 GMTThis example shows that the certificate is revoked (as on the CRL example above). If you look carefully you can see that Response verify OK which indicates that the OCSP lookup has been successful.
openssl ocsp -issuer /tmp/cert_chain.pem -cert /tmp/cert1.pem -url http://invalid.domain.tld
Error connecting BIO
Error querying OCSP responder
139794941752640:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Name or service not knownIf you query an invalid OCSP host you'll see somehow well known errors that you know when interacting with webservices.
openssl ocsp -issuer /tmp/cert_chain.pem -cert /tmp/valid_cert.pem -url http://rootca.allianz.com/ocsp/
Response verify OK
/tmp/valid_cert.pem: good
This Update: Aug 25 14:22:12 2022 GMT
Next Update: Aug 26 14:23:12 2022 GMT
And here's the example of an ocsp lookup of a non-revoked cert.
Quite some easy yet powerful commands.
