How to verify a certificate against a crl?
This is an example how to verify a certificate against a crl with openssl.
Get any certificate that you want to use.
openssl s_client -connect digicert.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' >digicert.com
Be sure that the certificate has a clr uri:
openssl x509 -noout -text -in ./digicert.com | grep -A 4 'X509v3 CRL Distribution Points'
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/DigiCertEVRSACAG2.crl
Full Name:
URI:http://crl4.digicert.com/DigiCertEVRSACAG2.crl
Download both crls:
wget -O crl3.der http://crl3.digicert.com/DigiCertEVRSACAG2.crl
Convert both clrs from binary format (DER) to base64 format (PEM)
openssl crl -inform DER -in crl3.der -outform PEM -out crl3.pem
openssl crl -inform DER -in crl4.der -outform PEM -out crl4.pem
Next step is to get the certificate chain. This is necessary because openssl checks the complete chain and therfore you will need the root and intermediate certificates too.
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect digicert.com:443 -showcerts -tlsextdebug 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | tee -a chain.pem ; done; IFS=$OLDIFS
Combining the crls and the chain with following command:
cat chain.pem crl3.pem crl4.pem > crl_chain.pem
Now check the certificate with the crls.
openssl verify -crl_check -CAfile crl_chain.pem digicert.com
If the certificate is not revoked you will get this output.
digicert.com: OK
How to verify a certificate against a crl with OCSP request?
This is an example how to verify a certificate against a crl with an OCSP request.
Get any certificate that you want to use.
openssl s_client -connect digicert.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' >digicert.com
Be sure that the certificate has a clr uri:
openssl x509 -noout -text -in ./digicert.com | grep -A 4 'X509v3 CRL Distribution Points'
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/DigiCertEVRSACAG2.crl
Full Name:
URI:http://crl4.digicert.com/DigiCertEVRSACAG2.crl
Next step is to get the ca certificate.
openssl x509 -in digicert.com -text -noout | grep -i "issuer"
The output is like following:
Issuer: C = US, O = DigiCert Inc, CN = DigiCert EV RSA CA G2
CA Issuers - URI:http://cacerts.digicert.com/DigiCertEVRSACAG2.crt
Get the issuer certificate:
wget -O issuer.der http://cacerts.digicert.com/DigiCertEVRSACAG2.crt
Now send the OCSP request to verifiy the certificate.
Now send the OCSP request to verifiy the certificate.
openssl ocsp -issuer issuer.der -cert digicert.com -text -url http://ocsp.digicert.com
You will get following output (Cert Status: good):
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D613075FB6DEA11BDF0182D397E1D37C6E925509
Issuer Key Hash: 6A4E50BF98689D5B7B2075D45901794866923206
Serial Number: 0A21D8B78D5D97C8EF4144F2D476DB65
Request Extensions:
OCSP Nonce:
0410456E78C435DF282CCD1F583045AF5CD4
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 6A4E50BF98689D5B7B2075D45901794866923206
Produced At: Oct 28 20:36:36 2023 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D613075FB6DEA11BDF0182D397E1D37C6E925509
Issuer Key Hash: 6A4E50BF98689D5B7B2075D45901794866923206
Serial Number: 0A21D8B78D5D97C8EF4144F2D476DB65
Cert Status: good
This Update: Oct 28 20:21:01 2023 GMT
Next Update: Nov 4 19:21:01 2023 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
65:22:ea:8a:01:1e:a6:38:21:42:b9:4a:40:ae:c6:d1:1c:fb:
a6:8a:41:af:82:4b:2b:2d:56:60:c3:18:dd:e1:5e:8f:13:84:
78:df:eb:49:ea:40:d6:b5:36:79:55:55:48:4a:03:0f:c6:05:
a5:37:ea:bd:07:dd:c1:d4:c6:cd:ce:2a:c9:50:f9:5f:52:fb:
fb:1b:78:23:65:2d:9e:f7:26:76:ff:c2:a4:86:f6:bf:39:d8:
31:c6:35:b5:90:63:d1:e1:fe:aa:81:9e:f2:a0:c0:9e:f7:ae:
21:a0:17:da:94:7a:99:a4:37:b8:e5:61:b4:28:db:12:f4:ba:
36:29:14:0c:f7:43:f6:1f:71:81:71:67:21:36:29:01:c2:f8:
dc:15:f6:4a:89:75:62:29:78:4d:6f:f2:74:5f:d7:28:c9:25:
31:49:3f:6e:47:f5:46:2b:0c:c4:db:5e:a6:9c:2c:61:ae:cf:
12:52:e0:a4:39:23:b6:dc:3b:a6:1b:20:bf:00:ca:05:ef:88:
23:83:bf:c8:78:55:c0:62:30:8d:78:47:dd:a6:63:2e:06:37:
0d:bc:bd:38:1e:ec:fb:b4:ac:cf:3d:3e:c1:0a:cb:b7:f0:7a:
2b:22:69:75:20:36:49:77:5c:d8:16:30:c1:40:3d:16:20:6c:
e0:18:f4:8f
WARNING: no nonce in response
Response verify OK
digicert.com: good
This Update: Oct 28 20:21:01 2023 GMT
Next Update: Nov 4 19:21:01 2023 GMTHow to create a self signed certificate with openssl
This is an example how to create a self signed certificate with openssl
Subject: C=AT CN=foo Valid: 2 years
Type in following command and enter followed arguments:
openssl req -new -days 730 -newkey rsa:4096bits -sha512 -x509 -nodes -out server.crt -keyout server.key
Country Name (2 letter code) [AU]:AT
Common Name (e.g. server FQDN or YOUR name) []:foo
Now you have the certificate and the private key
server.crt server.key
How to create a ECDSA Private Key and a CSR with openssl
This is an example how to create a ECDSA private key and a csr with openssl
Subject: C=AT CN=foo
Curve: prime256v1(secp256r1)
Create the key:
openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem
Create the csr file
openssl req -key private-key.pem -new -out domain.csr
If you want to check your csr type in following command:
openssl req -text -noout -verify -in domain.csr
How to convert pem (base64) format to binary format (der)?
This is an example how to convert a pem format to binary format with.
openssl x509 -in server.crt -outform DER -out server.der
How to create a private key (3072bit) protected with a password?
This is an example how to create a private key protected with a password
openssl genrsa -aes256 -out private.key 3072
How to convert encyrpted key file to decrypted key file
This is an example how to convert an encrypted key file to a decrypted key file.
openssl rsa -in private.key -out decrypted.key