openssl is probably your tool of choice when it comes to certificates. Besides querying certificates for data or from remote endpoints (using s_client) it's useful to verify certificates in regards of revocation.
In general two mechanisms are in place that provide certificate revocations
- CRL - certificate revocation lists
- OCSP - online certificate status protocol
CRL is more a static approach where you download a list that contains serial, date and reason of revocation. This is a simple approach and is not really fast when it comes to propagation time (except you run it with much too low lifetimes which results in massive overhead).
OCSP is more a realtime lookup which provides very fast propagation - but on the server side a reliable and accessible endpoint to reply to the requests.
Verify against CRL
To do this, you need to have the following components in place:
- CA certificate (public)
- CRL data
- Cert data (public)
Copy the CA certificate & CRL into a combined file by just appending it (like cat ca.pem crl.pem > ca_and_crl.pem). To run a verification just use this:
As you can see the certificate is revoked.
If the certificate is not revoked, it's just telling you also.
Verify using OCSP
Depending on your environment you have an OCSP resolver in place, so here's the way how to do the lookup in this case.
The requirement here is:
- Certificate CA chain (from the tested certificate) in a file. Be aware that order needs to be in order of validation (intermediate to root).
- Cert data (public) to be verified
The command to do the lookup:
This example shows that the certificate is revoked (as on the CRL example above). If you look carefully you can see that Response verify OK which indicates that the OCSP lookup has been successful.
If you query an invalid OCSP host you'll see somehow well known errors that you know when interacting with webservices.
And here's the example of an ocsp lookup of a non-revoked cert.
Quite some easy yet powerful commands.