OpenSSL Certificate Verification Using OCSP
Environment
- Debian 9.7 x64
- OpenSSL 1.1.0j 20 Nov 2018
Excerpt
Log 2019 / 06
1. Download a certificate to inspect
openssl s_client -connect amazon.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' > ee_amazon.pem
root@athos:~# openssl s_client -connect amazon.com:443 2>&1 < /dev/null | \
> sed -n '/-----BEGIN/,/-----END/p' > ee_amazon.pem
2. Locate OCSP url
root@athos:~# openssl x509 -in ee_amazon.pem -noout -ocsp_uri
http://ocsp.digicert.com
3. Download certificate chain
openssl s_client -connect amazon.com:443 \
-showcerts 2>&1 < /dev/null > all_amazon.tmp
root@athos:~# openssl s_client -connect amazon.com:443 \
> -showcerts 2>&1 < /dev/null > all_amazon.tmp
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global CA G2
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.peg.a2z.com
verify return:1
DONE
4. Extract certificates chain
4.1. Using Bash
OLDIFS=$IFS; \
IFS=':' certificates=$(openssl s_client -connect google.com:443 \
-showcerts -tlsextdebug -tls1 2>&1 </dev/null | \
sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); \
for certificate in ${certificates#:}; do echo $certificate | \
tee -a all_amazon.pem ; done; IFS=$OLDIFS
4.2. Using Python
cat <<EOF > get_certificate.py
#!/usr/bin/env python
'''
example:
python3 get_certificate.py all_amazon.tmp 1,2
python3 get_certificate.py all_amazon.tmp 1
'''
import sys
filename = sys.argv[1]
levels = sys.argv[2].split(',')
strip_levels = [int(i.strip()) for i in levels]
lines, begin, end = [], [], []
def get_certificates(levels):
for i in levels:
print_certificate(i)
def print_certificate(set):
for i in range(begin[set], end[set] + 1):
print(lines[i], end='')
with open(filename, 'r') as f:
lines = f.readlines()
for i, reader in enumerate(lines):
if reader == '-----BEGIN CERTIFICATE-----\n':
begin.append(i)
elif reader == '-----END CERTIFICATE-----\n':
end.append(i)
get_certificates(strip_levels)
EOF
root@athos:~# cat <<EOF > get_certificate.py
> #!/usr/bin/env python
>
> '''
> example:
> python3 get_certificate.py all_amazon.tmp 1,2
> python3 get_certificate.py all_amazon.tmp 1
> '''
>
> import sys
>
> filename = sys.argv[1]
> levels = sys.argv[2].split(',')
> strip_levels = [int(i.strip()) for i in levels]
>
> lines, begin, end = [], [], []
>
>
> def get_certificates(levels):
> for i in levels:
> print_certificate(i)
>
>
> def print_certificate(set):
> for i in range(begin[set], end[set] + 1):
> print(lines[i], end='')
>
>
> with open(filename, 'r') as f:
> lines = f.readlines()
>
> for i, reader in enumerate(lines):
> if reader == '-----BEGIN CERTIFICATE-----\n':
> begin.append(i)
> elif reader == '-----END CERTIFICATE-----\n':
> end.append(i)
>
> get_certificates(strip_levels)
> EOF
python3 get_certificate.py all_amazon.tmp 1 > ica_amazon.pem \
#(1=Intermediate, 2=Root)
python3 get_certificate.py all_amazon.tmp 2 > rca_amazon.pem \
#(1=Intermediate, 2=Root)
root@athos:~# python3 get_certificate.py all_amazon.tmp 1 > ica_amazon.pem \
> #(1=Intermediate, 2=Root)
root@athos:~# python3 get_certificate.py all_amazon.tmp 2 > rca_amazon.pem \
> #(1=Intermediate, 2=Root)
5. Send OCSP request
openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
-url http://ocsp.digicert.com
root@athos:~# openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
> -url http://ocsp.digicert.com
WARNING: no nonce in response
Response verify OK
ee_amazon.pem: good
This Update: Jun 2 13:45:00 2019 GMT
Next Update: Jun 9 13:00:00 2019 GMT
6. Send OCSP request (detailed)
openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
-url http://ocsp.digicert.com -text
root@athos:~# openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
> -url http://ocsp.digicert.com -text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A87E303106E4E88565CFE952598FA6DA7C00532F
Issuer Key Hash: 246E2B2DD06A925151256901AA9A47A689E74020
Serial Number: 0606D97F8028DD681C2566C88583E366
Request Extensions:
OCSP Nonce:
041097A56486AD4BD80C641BCF60B77C0691
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 246E2B2DD06A925151256901AA9A47A689E74020
Produced At: Jun 2 13:45:00 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A87E303106E4E88565CFE952598FA6DA7C00532F
Issuer Key Hash: 246E2B2DD06A925151256901AA9A47A689E74020
Serial Number: 0606D97F8028DD681C2566C88583E366
Cert Status: good
This Update: Jun 2 13:45:00 2019 GMT
Next Update: Jun 9 13:00:00 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
3a:fd:83:27:38:c8:b5:14:ca:f6:fe:ac:d1:14:62:07:73:83:
34:2c:99:61:5b:fc:04:7c:e7:b7:be:63:6c:eb:ff:b6:10:37:
50:27:d9:22:6d:41:31:80:25:e8:1a:52:19:38:d6:3c:fa:c2:
e9:8e:72:bf:01:20:74:1c:e7:83:38:85:91:c1:a0:dc:1e:35:
e2:59:60:59:aa:55:00:5f:66:30:70:3c:8f:a8:c4:cc:17:de:
9a:c7:0b:55:08:4f:22:9a:50:6a:8d:c5:44:c5:97:df:95:18:
e0:da:b5:55:74:be:7c:df:c5:07:fa:0e:ee:58:fa:b5:65:12:
67:a6:d1:82:f7:c5:5d:e1:d8:da:9a:71:75:0f:82:76:28:5f:
40:b0:6e:cb:d0:2a:76:b7:31:8f:01:f4:62:2f:db:83:3a:28:
82:c2:43:6f:ed:79:63:7f:c3:09:1a:d9:86:33:ff:30:93:85:
60:47:5b:e8:bc:58:41:20:72:12:82:f2:ab:39:40:e6:29:18:
17:f5:6d:c4:5f:18:dc:74:1a:59:cd:7c:d0:21:81:01:90:f0:
88:e2:28:6c:e7:8a:ba:46:c2:48:df:d4:cf:70:be:23:cd:28:
02:8b:da:81:1a:53:57:c4:5b:be:bb:da:72:59:ac:e6:72:d1:
f2:41:b9:96
WARNING: no nonce in response
Response verify OK
ee_amazon.pem: good
This Update: Jun 2 13:45:00 2019 GMT
Next Update: Jun 9 13:00:00 2019 GMT
7. Common error
7.1. WARNING: no nonce in response
openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
-no_nonce -url http://ocsp.digicert.com
root@athos:~# openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
> -no_nonce -url http://ocsp.digicert.com
Response verify OK
ee_amazon.pem: good
This Update: Jun 2 13:45:00 2019 GMT
Next Update: Jun 9 13:00:00 2019 GMT
7.2. PARSE_HTTP_LINE1:Code=404,Reason=Not Found
error:27076072:OCSP routines:
PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=404,Reason=Not Found
7.2.1. Cygwin (Windows)
openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
-no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog
$ openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
> -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog
Response Verify Failure
4294956672:error:27069076:OCSP routines:OCSP_basic_verify
:signer certificate not found:ocsp_vfy.c:92:
ee_google.pem: good
This Update: Jun 2 14:26:19 2019 GMT
Next Update: Jun 9 14:26:19 2019 GMT
7.2.2. Linux
openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
-no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host=ocsp.pki.goog
root@athos:~# openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
> -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host=ocsp.pki.goog
Response verify OK
ee_google.pem: good
This Update: Jun 2 14:26:19 2019 GMT
Next Update: Jun 9 14:26:19 2019 GMT
7.3. OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:
error:27069076:OCSP routines:
OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:
openssl ocsp -issuer ica_google.pem -VAfile ica_google.pem -cert ee_google.pem \
-no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog
$ openssl ocsp -issuer ica_google.pem -VAfile ica_google.pem -cert ee_google.pem \
> -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog
Response verify OK
ee_google.pem: good
This Update: Jun 2 14:26:19 2019 GMT
Next Update: Jun 9 14:26:19 2019 GMT