| Prev: X-Windows Logins Very Slow | Next: X.509 Client Certificates on Firefox for Android |
| (Index) |
You want to check by hand the revocation status of a certificate. You naively use this command line:
openssl ocsp -CApath /etc/ssl/certs -issuer startcom2.usr -verify_other startcom2.usr -cert /etc/ssl/hostcerts/hostw.crt -url http://ocsp.startssl.com/ca -text
Explanation of options:
| openssl ocsp | Command and subcommand |
| -CApath /etc/ssl/certs | For verifying TLS connections |
| -issuer startcom1.usr | In a trust chain specify the one that actually issued the cert being checked, that is, the last intermediate certificate authority. |
| -verify_other startcom1.usr | Usually same as -issuer, to check the signature on the response. |
| -cert /etc/ssl/hostcerts/hostw.crt | This is the certificate you want to check. |
| -url http://ocsp.startssl.com/ca | To find the responder's URL, on the cert being checked do, e.g.
openssl x509 -in /etc/ssl/hostcerts/hostw.crt -noout -textAnd look for the OCSP-URI extension. Non-TLS seems to be normal. |
| -text | To produce sort-of human readable output on stdout. |
But for some, not all, responders the non-response begins:
140140571887272: error: 27076072: OCSP routines: PARSE_HTTP_LINE1: server response error: ocsp_ht.c:250: Code=400,Reason=Bad Request
See this posting in Startcom's forum. The responder wants to use HTTP-1.1 but the openssl command does not support it.
Per the forum post, add this option to the openssl command line and it will adequately substitute for full HTTP-1.1 support:
-header "HOST" "ocsp.startssl.com"
Specify the host part of the OCSP-URI. But this isn't all you need. A successful command line was:
openssl ocsp -CAfile /etc/ssl/hostcerts/startcom.pth -issuer startcom1.usr -VAfile /etc/ssl/hostcerts/startcom.pth -cert /etc/ssl/hostcerts/hostw.crt -url http://ocsp.startssl.com/sub/class1/server/ca -header "HOST" "ocsp.startssl.com" -text
Explanation of options changed from the first command line:
| -CAfile /etc/ssl/hostcerts/startcom.pth | To verify certificates it needs the intermediate CA cert(s) including
the trust anchor (self signed root cert). I have a concatenated file of all of these, conveniently available. |
| -VAfile /etc/ssl/hostcerts/startcom.pth | OpenSSL makes a distinction between verifying and trusting. You need to specify separately which certs are actually trustworthy in verifying the response. This replaces -verify_other. |
| -header "HOST" "ocsp.startssl.com" | This is the HTTP-1.1 fixup mentioned in the forum post above. |
| Prev: X-Windows Logins Very Slow | Next: X.509 Client Certificates on Firefox for Android |
| (Index) |