使用openssl检测证书ocsp吊销状态

如果证书被用来签署木马病毒,或者私钥泄漏进行重新颁发,证书颁发机构(CA)会对原证书进行吊销,客户端会在验证证书有效性时检查证书是否被吊销。早期的吊销检测主要通过CRL(证书吊销列表)进行,更新周期一般以天为单位,现在主要通过OCSP(在线证书状态协议)进行更快速的检测,TLS还支持OCSP Stapling扩展在SSL握手时进行加速。

那么我们如何手动检测一张证书是否被吊销呢?

使用openssl ocsp命令就可以实现。

必备条件

  1. 首先你要有openssl
    • Mac OSX: brew install openssl
    • Windows:https://slproweb.com/products/Win32OpenSSL.html
  2. 要检测的证书
  3. 要检测的证书的颁发者证书
  4. OCSP服务器地址

操作步骤

通过 openssl s_client -connect yryz.net:443 -showcerts 可以获取SSL证书链,在此可以拿到证书。

通过 openssl x509 -in test.crt -noout -text 找到 Authority Information Access: 段可以拿到颁发者证书的下载地址和OCSP地址

OCSP - URI:http://trustasia2-ocsp.digitalcertvalidation.com
CA Issuers - URI:http://trustasia2-aia.digitalcertvalidation.com/trustasiag5.crt

另外,通过 openssl x509 -in test.crt -noout -ocsp_uri 可以直接拿到OCSP服务器地址 http://trustasia2-ocsp.digitalcertvalidation.com

获取吊销状态openssl ocsp -issuer trustasiag5.crt -cert test.crt -url http://trustasia2-ocsp.digitalcertvalidation.com -text (这里加上-text 可以获取更相信的输出信息)

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 14EADF81301FC36D0F1A23C4FA0CFBF84304EC85
          Issuer Key Hash: 6D58C77F1AE7E13F2EA68C973542BBF4D338AC3F
          Serial Number: 05749024F4CD19C49B86EBBE3D7999B9
    Request Extensions:
        OCSP Nonce:
            041071459DF548EDAC8877549DF0191E3558
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C9F321F9DB35CD36F525F3D0AF9528EF49A03910
    Produced At: Oct  4 22:51:23 2016 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 14EADF81301FC36D0F1A23C4FA0CFBF84304EC85
      Issuer Key Hash: 6D58C77F1AE7E13F2EA68C973542BBF4D338AC3F
      Serial Number: 05749024F4CD19C49B86EBBE3D7999B9
    Cert Status: good
    This Update: Oct  4 22:51:23 2016 GMT
    Next Update: Oct 11 22:51:23 2016 GMT

    Signature Algorithm: sha256WithRSAEncryption
         17:89:c4:11:20:9e:43:ab:42:3a:fc:a6:f5:87:f8:3f:2d:f7:
         f9:71:d1:f8:6e:27:5d:bb:a8:c5:ac:88:fe:f6:2f:8a:4a:bd:
         46:ca:9d:09:50:46:46:9d:eb:2d:f7:06:c3:a0:06:db:8d:e1:
         e8:36:4d:a9:50:d2:47:23:3e:f4:9a:29:83:c9:77:91:d3:37:
         39:e6:53:13:56:5e:f4:07:4d:82:b9:45:5b:e6:5d:69:40:f6:
         dd:16:fe:48:08:91:da:f7:e4:58:b9:c7:d2:03:1b:c9:38:59:
         f4:09:15:2f:c7:09:b3:61:06:78:a3:f2:9a:2d:a6:6f:82:39:
         9e:13:c6:91:98:29:06:9b:d0:ef:78:00:93:9c:03:f8:8b:de:
         c3:03:aa:31:80:52:b0:22:05:3d:d3:f2:e0:72:82:71:8b:29:
         bc:ba:e5:54:e4:e1:20:5d:61:1a:56:a2:d1:02:94:af:60:26:
         49:1c:a8:59:4b:cf:d9:14:0d:f6:d1:99:bb:60:24:37:73:d8:
         12:b8:65:59:6c:0b:31:1c:28:27:5f:3f:92:8f:e1:c2:ee:3b:
         5b:be:72:93:09:bd:1a:cb:12:5e:40:31:36:9a:b3:27:03:bc:
         86:c0:07:5f:57:62:42:2a:f7:e7:66:79:11:81:88:39:74:d4:
         58:36:eb:71
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            60:3d:4a:3c:3b:08:28:d2:70:b0:05:4d:63:53:d6:55
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, O=TrustAsia Technologies, Inc., OU=Symantec Trust Network, OU=Domain Validated SSL, CN=TrustAsia DV SSL CA - G5
        Validity
            Not Before: Aug 11 00:00:00 2016 GMT
            Not After : Dec 10 23:59:59 2016 GMT
        Subject: CN=TrustAsia DV SSL CA - G5 OCSP Responder
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:7a:2b:a2:0f:7f:57:88:92:63:c5:01:97:65:
                    39:19:9a:12:bc:fb:7a:a9:73:a2:2a:70:9d:a0:6a:
                    05:7d:3e:91:1c:62:aa:5a:56:f4:29:33:6c:b0:8a:
                    47:5e:50:88:9e:93:93:4c:bf:a7:54:12:3e:0b:d2:
                    d5:c5:05:9f:98:f9:58:d8:72:9a:78:e2:dd:0b:05:
                    8b:aa:49:f7:cd:ea:b2:8a:d1:6c:f6:eb:ea:80:18:
                    74:7a:88:7c:00:4b:3b:d3:a8:5d:88:c9:7e:e0:54:
                    af:75:12:eb:dd:80:21:0e:b2:68:f7:5b:df:38:0d:
                    18:e9:b7:8a:49:a9:32:9e:59:6b:eb:1c:09:50:99:
                    2b:86:5f:5c:68:db:8d:44:a5:9e:1b:93:eb:8d:e0:
                    b3:e5:7f:4e:c1:a8:28:e6:aa:ae:c9:35:a1:7e:9a:
                    1d:8c:bd:8e:de:64:67:c5:60:f9:b6:8b:4a:f4:e9:
                    df:4f:c8:8e:bc:70:08:92:31:f0:00:e2:8e:05:fc:
                    0b:49:5e:8c:84:2c:0f:d8:fa:b2:79:71:e1:af:66:
                    21:89:eb:13:6a:b4:a3:30:4f:4e:dd:fc:ae:90:b6:
                    9b:97:39:90:f5:c7:23:a6:af:19:1e:61:33:b8:b3:
                    f7:ee:d7:97:1b:ac:73:d8:f2:89:82:7a:8a:fa:ab:
                    9b:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                OCSP Signing
            X509v3 Key Usage: critical
                Digital Signature
            OCSP No Check:

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.23.3
                  CPS: https://d.symcb.com/cps
                  User Notice:
                    Explicit Text: https://d.symcb.com/rpa

            X509v3 Subject Alternative Name:
                DirName:/CN=TGV-C-282
            X509v3 Subject Key Identifier:
                C9:F3:21:F9:DB:35:CD:36:F5:25:F3:D0:AF:95:28:EF:49:A0:39:10
            X509v3 Authority Key Identifier:
                keyid:6D:58:C7:7F:1A:E7:E1:3F:2E:A6:8C:97:35:42:BB:F4:D3:38:AC:3F

    Signature Algorithm: sha256WithRSAEncryption
         8d:b8:61:a7:df:ca:fd:df:dc:7a:48:e8:38:96:82:83:14:c6:
         11:77:31:66:bb:d4:10:8f:72:6e:ce:93:c0:8f:ed:99:cf:d4:
         52:84:2f:30:73:17:97:95:65:4e:1d:02:1b:5e:d3:38:fa:42:
         50:f1:b2:c1:8a:3f:e6:2d:87:57:dc:f0:3d:3b:28:c5:fd:84:
         93:a7:65:21:f2:1b:20:9d:9e:0b:2c:82:59:5f:16:eb:c8:7c:
         7b:36:12:ef:bb:df:0a:9e:09:81:a4:e2:42:d7:7e:8a:ef:f5:
         8f:00:df:7f:1a:02:9f:86:19:fb:b1:69:5a:75:b1:66:a5:49:
         b5:ff:fe:44:46:5d:df:3f:71:b1:e7:e2:10:ba:08:be:d0:3c:
         15:80:35:19:62:e3:f5:6a:18:a7:dd:ce:ae:be:ab:6e:4f:4a:
         a7:68:9a:68:bc:c7:23:55:9d:aa:3e:24:ab:25:f0:51:b5:ae:
         7e:3d:ca:de:5c:82:89:77:79:82:a1:89:0a:89:b9:c2:bf:aa:
         0f:cd:48:84:bd:24:ff:21:04:74:f3:2b:17:a1:52:13:91:58:
         ae:1a:4b:94:ef:22:65:2c:cb:3e:fb:b7:2c:cb:64:a0:44:41:
         d5:90:01:c5:79:5c:24:fc:2a:23:f1:21:cb:e4:82:60:30:be:
         a5:f7:bf:f0
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgIQYD1KPDsIKNJwsAVNY1PWVTANBgkqhkiG9w0BAQsFADCB
lzELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
IEluYy4xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHTAbBgNVBAsT
FERvbWFpbiBWYWxpZGF0ZWQgU1NMMSEwHwYDVQQDExhUcnVzdEFzaWEgRFYgU1NM
IENBIC0gRzUwHhcNMTYwODExMDAwMDAwWhcNMTYxMjEwMjM1OTU5WjAyMTAwLgYD
VQQDEydUcnVzdEFzaWEgRFYgU1NMIENBIC0gRzUgT0NTUCBSZXNwb25kZXIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGeiuiD39XiJJjxQGXZTkZmhK8
+3qpc6IqcJ2gagV9PpEcYqpaVvQpM2ywikdeUIiek5NMv6dUEj4L0tXFBZ+Y+VjY
cpp44t0LBYuqSffN6rKK0Wz26+qAGHR6iHwASzvTqF2IyX7gVK91EuvdgCEOsmj3
W984DRjpt4pJqTKeWWvrHAlQmSuGX1xo241EpZ4bk+uN4LPlf07BqCjmqq7JNaF+
mh2MvY7eZGfFYPm2i0r06d9PyI68cAiSMfAA4o4F/AtJXoyELA/Y+rJ5ceGvZiGJ
6xNqtKMwT07d/K6QtpuXOZD1xyOmrxkeYTO4s/fu15cbrHPY8omCeor6q5sJAgMB
AAGjggETMIIBDzAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA4G
A1UdDwEB/wQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMGYGA1UdIARfMF0wWwYLYIZI
AYb4RQEHFwMwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMw
JQYIKwYBBQUHAgIwGRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwIQYDVR0RBBow
GKQWMBQxEjAQBgNVBAMTCVRHVi1DLTI4MjAdBgNVHQ4EFgQUyfMh+ds1zTb1JfPQ
r5Uo70mgORAwHwYDVR0jBBgwFoAUbVjHfxrn4T8upoyXNUK79NM4rD8wDQYJKoZI
hvcNAQELBQADggEBAI24Yaffyv3f3HpI6DiWgoMUxhF3MWa71BCPcm7Ok8CP7ZnP
1FKELzBzF5eVZU4dAhte0zj6QlDxssGKP+Yth1fc8D07KMX9hJOnZSHyGyCdngss
gllfFuvIfHs2Eu+73wqeCYGk4kLXforv9Y8A338aAp+GGfuxaVp1sWalSbX//kRG
Xd8/cbHn4hC6CL7QPBWANRli4/VqGKfdzq6+q25PSqdommi8xyNVnao+JKsl8FG1
rn49yt5cgol3eYKhiQqJucK/qg/NSIS9JP8hBHTzKxehUhORWK4aS5TvImUsyz77
tyzLZKBEQdWQAcV5XCT8KiPxIcvkgmAwvqX3v/A=
-----END CERTIFICATE-----
WARNING: no nonce in response
Response Verify Failure
140735222653008:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
test.crt: good
       	This Update: Oct  4 22:51:23 2016 GMT
       	Next Update: Oct 11 22:51:23 2016 GMT