使用openssl检测证书ocsp吊销状态

如果证书被用来签署木马病毒,或者私钥泄漏进行重新颁发,证书颁发机构(CA)会对原证书进行吊销,客户端会在验证证书有效性时检查证书是否被吊销。早期的吊销检测主要通过CRL(证书吊销列表)进行,更新周期一般以天为单位,现在主要通过OCSP(在线证书状态协议)进行更快速的检测,TLS还支持OCSP Stapling扩展在SSL握手时进行加速。

那么我们如何手动检测一张证书是否被吊销呢?

使用openssl ocsp命令就可以实现。

必备条件

  1. 首先你要有openssl
  2. 要检测的证书
  3. 要检测的证书的颁发者证书
  4. OCSP服务器地址

操作步骤

通过 openssl s_client -connect yryz.net:443 -showcerts 可以获取SSL证书链,在此可以拿到证书。

通过 openssl x509 -in test.crt -noout -text 找到 Authority Information Access: 段可以拿到颁发者证书的下载地址和OCSP地址

1
2
OCSP - URI:http://trustasia2-ocsp.digitalcertvalidation.com
CA Issuers - URI:http://trustasia2-aia.digitalcertvalidation.com/trustasiag5.crt

另外,通过 openssl x509 -in test.crt -noout -ocsp_uri 可以直接拿到OCSP服务器地址 http://trustasia2-ocsp.digitalcertvalidation.com

获取吊销状态openssl ocsp -issuer trustasiag5.crt -cert test.crt -url http://trustasia2-ocsp.digitalcertvalidation.com -text (这里加上-text 可以获取更相信的输出信息)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 14EADF81301FC36D0F1A23C4FA0CFBF84304EC85
Issuer Key Hash: 6D58C77F1AE7E13F2EA68C973542BBF4D338AC3F
Serial Number: 05749024F4CD19C49B86EBBE3D7999B9
Request Extensions:
OCSP Nonce:
041071459DF548EDAC8877549DF0191E3558
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C9F321F9DB35CD36F525F3D0AF9528EF49A03910
Produced At: Oct 4 22:51:23 2016 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 14EADF81301FC36D0F1A23C4FA0CFBF84304EC85
Issuer Key Hash: 6D58C77F1AE7E13F2EA68C973542BBF4D338AC3F
Serial Number: 05749024F4CD19C49B86EBBE3D7999B9
Cert Status: good
This Update: Oct 4 22:51:23 2016 GMT
Next Update: Oct 11 22:51:23 2016 GMT

Signature Algorithm: sha256WithRSAEncryption
17:89:c4:11:20:9e:43:ab:42:3a:fc:a6:f5:87:f8:3f:2d:f7:
f9:71:d1:f8:6e:27:5d:bb:a8:c5:ac:88:fe:f6:2f:8a:4a:bd:
46:ca:9d:09:50:46:46:9d:eb:2d:f7:06:c3:a0:06:db:8d:e1:
e8:36:4d:a9:50:d2:47:23:3e:f4:9a:29:83:c9:77:91:d3:37:
39:e6:53:13:56:5e:f4:07:4d:82:b9:45:5b:e6:5d:69:40:f6:
dd:16:fe:48:08:91:da:f7:e4:58:b9:c7:d2:03:1b:c9:38:59:
f4:09:15:2f:c7:09:b3:61:06:78:a3:f2:9a:2d:a6:6f:82:39:
9e:13:c6:91:98:29:06:9b:d0:ef:78:00:93:9c:03:f8:8b:de:
c3:03:aa:31:80:52:b0:22:05:3d:d3:f2:e0:72:82:71:8b:29:
bc:ba:e5:54:e4:e1:20:5d:61:1a:56:a2:d1:02:94:af:60:26:
49:1c:a8:59:4b:cf:d9:14:0d:f6:d1:99:bb:60:24:37:73:d8:
12:b8:65:59:6c:0b:31:1c:28:27:5f:3f:92:8f:e1:c2:ee:3b:
5b:be:72:93:09:bd:1a:cb:12:5e:40:31:36:9a:b3:27:03:bc:
86:c0:07:5f:57:62:42:2a:f7:e7:66:79:11:81:88:39:74:d4:
58:36:eb:71
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
60:3d:4a:3c:3b:08:28:d2:70:b0:05:4d:63:53:d6:55
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=TrustAsia Technologies, Inc., OU=Symantec Trust Network, OU=Domain Validated SSL, CN=TrustAsia DV SSL CA - G5
Validity
Not Before: Aug 11 00:00:00 2016 GMT
Not After : Dec 10 23:59:59 2016 GMT
Subject: CN=TrustAsia DV SSL CA - G5 OCSP Responder
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c6:7a:2b:a2:0f:7f:57:88:92:63:c5:01:97:65:
39:19:9a:12:bc:fb:7a:a9:73:a2:2a:70:9d:a0:6a:
05:7d:3e:91:1c:62:aa:5a:56:f4:29:33:6c:b0:8a:
47:5e:50:88:9e:93:93:4c:bf:a7:54:12:3e:0b:d2:
d5:c5:05:9f:98:f9:58:d8:72:9a:78:e2:dd:0b:05:
8b:aa:49:f7:cd:ea:b2:8a:d1:6c:f6:eb:ea:80:18:
74:7a:88:7c:00:4b:3b:d3:a8:5d:88:c9:7e:e0:54:
af:75:12:eb:dd:80:21:0e:b2:68:f7:5b:df:38:0d:
18:e9:b7:8a:49:a9:32:9e:59:6b:eb:1c:09:50:99:
2b:86:5f:5c:68:db:8d:44:a5:9e:1b:93:eb:8d:e0:
b3:e5:7f:4e:c1:a8:28:e6:aa:ae:c9:35:a1:7e:9a:
1d:8c:bd:8e:de:64:67:c5:60:f9:b6:8b:4a:f4:e9:
df:4f:c8:8e:bc:70:08:92:31:f0:00:e2:8e:05:fc:
0b:49:5e:8c:84:2c:0f:d8:fa:b2:79:71:e1:af:66:
21:89:eb:13:6a:b4:a3:30:4f:4e:dd:fc:ae:90:b6:
9b:97:39:90:f5:c7:23:a6:af:19:1e:61:33:b8:b3:
f7:ee:d7:97:1b:ac:73:d8:f2:89:82:7a:8a:fa:ab:
9b:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage: critical
Digital Signature
OCSP No Check:

X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa

X509v3 Subject Alternative Name:
DirName:/CN=TGV-C-282
X509v3 Subject Key Identifier:
C9:F3:21:F9:DB:35:CD:36:F5:25:F3:D0:AF:95:28:EF:49:A0:39:10
X509v3 Authority Key Identifier:
keyid:6D:58:C7:7F:1A:E7:E1:3F:2E:A6:8C:97:35:42:BB:F4:D3:38:AC:3F

Signature Algorithm: sha256WithRSAEncryption
8d:b8:61:a7:df:ca:fd:df:dc:7a:48:e8:38:96:82:83:14:c6:
11:77:31:66:bb:d4:10:8f:72:6e:ce:93:c0:8f:ed:99:cf:d4:
52:84:2f:30:73:17:97:95:65:4e:1d:02:1b:5e:d3:38:fa:42:
50:f1:b2:c1:8a:3f:e6:2d:87:57:dc:f0:3d:3b:28:c5:fd:84:
93:a7:65:21:f2:1b:20:9d:9e:0b:2c:82:59:5f:16:eb:c8:7c:
7b:36:12:ef:bb:df:0a:9e:09:81:a4:e2:42:d7:7e:8a:ef:f5:
8f:00:df:7f:1a:02:9f:86:19:fb:b1:69:5a:75:b1:66:a5:49:
b5:ff:fe:44:46:5d:df:3f:71:b1:e7:e2:10:ba:08:be:d0:3c:
15:80:35:19:62:e3:f5:6a:18:a7:dd:ce:ae:be:ab:6e:4f:4a:
a7:68:9a:68:bc:c7:23:55:9d:aa:3e:24:ab:25:f0:51:b5:ae:
7e:3d:ca:de:5c:82:89:77:79:82:a1:89:0a:89:b9:c2:bf:aa:
0f:cd:48:84:bd:24:ff:21:04:74:f3:2b:17:a1:52:13:91:58:
ae:1a:4b:94:ef:22:65:2c:cb:3e:fb:b7:2c:cb:64:a0:44:41:
d5:90:01:c5:79:5c:24:fc:2a:23:f1:21:cb:e4:82:60:30:be:
a5:f7:bf:f0
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgIQYD1KPDsIKNJwsAVNY1PWVTANBgkqhkiG9w0BAQsFADCB
lzELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
IEluYy4xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHTAbBgNVBAsT
FERvbWFpbiBWYWxpZGF0ZWQgU1NMMSEwHwYDVQQDExhUcnVzdEFzaWEgRFYgU1NM
IENBIC0gRzUwHhcNMTYwODExMDAwMDAwWhcNMTYxMjEwMjM1OTU5WjAyMTAwLgYD
VQQDEydUcnVzdEFzaWEgRFYgU1NMIENBIC0gRzUgT0NTUCBSZXNwb25kZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGeiuiD39XiJJjxQGXZTkZmhK8
+3qpc6IqcJ2gagV9PpEcYqpaVvQpM2ywikdeUIiek5NMv6dUEj4L0tXFBZ+Y+VjY
cpp44t0LBYuqSffN6rKK0Wz26+qAGHR6iHwASzvTqF2IyX7gVK91EuvdgCEOsmj3
W984DRjpt4pJqTKeWWvrHAlQmSuGX1xo241EpZ4bk+uN4LPlf07BqCjmqq7JNaF+
mh2MvY7eZGfFYPm2i0r06d9PyI68cAiSMfAA4o4F/AtJXoyELA/Y+rJ5ceGvZiGJ
6xNqtKMwT07d/K6QtpuXOZD1xyOmrxkeYTO4s/fu15cbrHPY8omCeor6q5sJAgMB
AAGjggETMIIBDzAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA4G
A1UdDwEB/wQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMGYGA1UdIARfMF0wWwYLYIZI
AYb4RQEHFwMwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMw
JQYIKwYBBQUHAgIwGRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwIQYDVR0RBBow
GKQWMBQxEjAQBgNVBAMTCVRHVi1DLTI4MjAdBgNVHQ4EFgQUyfMh+ds1zTb1JfPQ
r5Uo70mgORAwHwYDVR0jBBgwFoAUbVjHfxrn4T8upoyXNUK79NM4rD8wDQYJKoZI
hvcNAQELBQADggEBAI24Yaffyv3f3HpI6DiWgoMUxhF3MWa71BCPcm7Ok8CP7ZnP
1FKELzBzF5eVZU4dAhte0zj6QlDxssGKP+Yth1fc8D07KMX9hJOnZSHyGyCdngss
gllfFuvIfHs2Eu+73wqeCYGk4kLXforv9Y8A338aAp+GGfuxaVp1sWalSbX//kRG
Xd8/cbHn4hC6CL7QPBWANRli4/VqGKfdzq6+q25PSqdommi8xyNVnao+JKsl8FG1
rn49yt5cgol3eYKhiQqJucK/qg/NSIS9JP8hBHTzKxehUhORWK4aS5TvImUsyz77
tyzLZKBEQdWQAcV5XCT8KiPxIcvkgmAwvqX3v/A=
-----END CERTIFICATE-----
WARNING: no nonce in response
Response Verify Failure
140735222653008:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
test.crt: good
This Update: Oct 4 22:51:23 2016 GMT
Next Update: Oct 11 22:51:23 2016 GMT