Use openssl to verify certificates

openssl is probably your tool of choice when it comes to certificates. Besides querying certificates for data or from remote endpoints (using s_client) it's useful to verify certificates in regards of revocation.

In general two mechanisms are in place that provide certificate revocations

  • CRL - certificate revocation lists
  • OCSP - online certificate status protocol

CRL is more a static approach where you download a list that contains serial, date and reason of revocation. This is a simple approach and is not really fast when it comes to propagation time (except you run it with much too low lifetimes which results in massive overhead).

OCSP is more a realtime lookup which provides very fast propagation - but on the server side a reliable and accessible endpoint to reply to the requests.

Verify against CRL

To do this, you need to have the following components in place:

  • CA certificate (public)
  • CRL data
  • Cert data (public)
CRL url The CRL url is part of the certificate data - so lookup the certificate attributes (use either openssl or a tool like XCA) to read this data.

Copy the CA certificate & CRL into a combined file by just appending it (like cat ca.pem crl.pem > ca_and_crl.pem). To run a verification just use this:

openssl verify -crl_check -CAfile /tmp/ca_and_crl.pem /tmp/cert1.pem 
C = DE, O = Company, CN = host.domain.tld
error 23 at 0 depth lookup: certificate revoked
error /tmp/cert1.pem: verification failed
openssl verify with CRL

As you can see the certificate is revoked.

openssl verify -crl_check -CAfile /tmp/ca_and_crl.pem /tmp/valid_cert.pem      /tmp/valid_cert.pem: OK
openssl verify with CRL (valid cert)

If the certificate is not revoked, it's just telling you also.

Verify using OCSP

Depending on your environment you have an OCSP resolver in place, so here's the way how to do the lookup in this case.

The requirement here is:

  • Certificate CA chain (from the tested certificate) in a file. Be aware that order needs to be in order of validation (intermediate to root).
  • Cert data (public) to be verified
OCSP url The OCSP endpoint is part of the certificate data - so lookup the certificate attributes (use either openssl or a tool like XCA) to read this data.

The command to do the lookup:

openssl ocsp -issuer /tmp/cert_chain.pem -cert /tmp/cert1.pem -url http://ocsp-host.domain.tld/ocsp/
Response verify OK
/tmp/cert1.pem: revoked
        This Update: Aug 25 14:16:00 2022 GMT
        Next Update: Aug 26 14:17:00 2022 GMT
        Reason: unspecified
        Revocation Time: Jun 25 12:43:48 2022 GMT
openssl verify against ocsp

This example shows that the certificate is revoked (as on the CRL example above). If you look carefully you can see that Response verify OK which indicates that the OCSP lookup has been successful.

openssl ocsp -issuer /tmp/cert_chain.pem -cert /tmp/cert1.pem -url http://invalid.domain.tld
Error connecting BIO
Error querying OCSP responder
139794941752640:error:2008F002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:726:Name or service not known
querying invalid ocsp resolver

If you query an invalid OCSP host you'll see somehow well known errors that you know when interacting with webservices.

openssl ocsp -issuer /tmp/cert_chain.pem -cert /tmp/valid_cert.pem -url http://rootca.allianz.com/ocsp/      
Response verify OK
/tmp/valid_cert.pem: good
        This Update: Aug 25 14:22:12 2022 GMT
        Next Update: Aug 26 14:23:12 2022 GMT
ocsp lookup of valid cert

And here's the example of an ocsp lookup of a non-revoked cert.

Quite some easy yet powerful commands.