Squoggle
Mac's tech blog
Online Certificate Status Protocol (OCSP)
December 15, 2022
Posted by on Online Certificate Status Protocol (OCSP) is an alternative method to Certificate Revocation Lists (CRLs) used to check the validity of digital certificates in a public key infrastructure (PKI).
When a user encounters a digital certificate, their software can use OCSP to send a request to the certificate authority (CA) to check the current status of the certificate. The CA responds to the request with one of three responses: “good”, “revoked”, or “unknown”.
If the response is “good”, the user’s software can proceed with the transaction or access to the resource protected by the certificate. If the response is “revoked”, the software rejects the certificate as invalid. If the response is “unknown”, the software may require additional steps to verify the validity of the certificate.
Unlike CRLs, which can become large and unwieldy as the number of revoked certificates increases, OCSP allows for more efficient and timely checking of individual certificates. However, it requires a constant connection to the CA to receive real-time status updates and can be subject to performance and privacy concerns.
The Good about OCSP
- Real-time validation: OCSP provides real-time validation of certificates, so users can immediately determine whether a certificate is valid or not.
- Smaller and more efficient: OCSP responses are typically smaller and more efficient than certificate revocation lists (CRLs), especially for large PKIs with many revoked certificates.
- Reduced latency: OCSP can reduce latency by eliminating the need for users to download and parse large CRL files.
- More privacy-friendly: OCSP can be more privacy-friendly than CRLs, as it doesn’t require users to download a complete list of revoked certificates and associated information.
The Bad about OCSP
- Increased network traffic: OCSP requires users to contact the certificate authority (CA) server each time a certificate is validated, which can increase network traffic and cause performance issues.
- Single point of failure: OCSP relies on a single CA server for validation, so if the server goes down or experiences issues, users may be unable to validate certificates.
- Reduced reliability: OCSP may be less reliable than CRLs in certain situations, such as when there are issues with the CA’s OCSP server or network connectivity.
- Potential privacy concerns: While OCSP can be more privacy-friendly than CRLs, it still allows the CA to track which certificates are being validated and when, which may be a concern for some users.
Check the OCSP status of a Certificate
You can check an Online Certificate Status Protocol (OCSP) response with OpenSSL using the openssl ocsp command. Here is an example command:
openssl ocsp -issuer issuer_cert.pem -cert certificate.pem -url http://ocsp.server.com -text
This command checks the status of the certificate in certificate.pem by sending an OCSP request to the server at http://ocsp.server.com. The issuer_cert.pem file is the certificate of the issuer that signed the certificate.pem file. The -text option displays the response in human-readable text.
After running the command, you will receive an OCSP response that includes the status of the certificate. If the status is “good”, the certificate is valid. If the status is “revoked”, the certificate has been revoked by the issuer. If the status is “unknown”, the server was unable to provide a definitive response for the certificate.
Get the Certificate from a Site:
Lets use google.com as an example.
Get the Certificate for google.com and save it to a file named certificate.pem:
openssl s_client -connect google.com:443 -showcerts /dev/null | sed -n '/Certificate/,/-----END CERTIFICATE-----/p' | tail -n +3 > certificate.pem
Get the Issuing Cert from a Site:
Get the issuing certificate for google.com and save it to a file named issuer.pem:
openssl s_client -connect google.com:443 -showcerts /dev/null | sed -n '/1 s:/,/-----END CERTIFICATE-----/p' | tail -n +3 > issuer.pem
Extract the OCSP URL from the Certificate:
Use OpenSSL to get the OCSP URL from the Certificate and save it to a variable name ocspurl:
ocspurl=$(openssl x509 -in certificate.pem -noout -text | grep "OCSP" | cut -f2,3 -d:)
Test the OCSP Status of the Certificate:
Check the status of the OCSP status of the certificate using the ocsp flag to OpenSSL like this:
openssl ocsp -issuer issuer.pem -cert certificate.pem -url $ocspurl -text
You should get a response that looks something like this:
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 12D78B402C356206FA827F8ED8922411B4ACF504 Issuer Key Hash: A5CE37EAEBB0750E946788B445FAD9241087961F Serial Number: 0CD04791FC985ABB27E20A42A232FDF5 Request Extensions: OCSP Nonce: 0410CD24FED402FF2B1D2331485C81AD1C21 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: A5CE37EAEBB0750E946788B445FAD9241087961F Produced At: Apr 26 00:54:27 2023 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 12D78B402C356206FA827F8ED8922411B4ACF504 Issuer Key Hash: A5CE37EAEBB0750E946788B445FAD9241087961F Serial Number: 0CD04791FC985ABB27E20A42A232FDF5 Cert Status: good This Update: Apr 26 00:39:01 2023 GMT Next Update: May 2 23:54:01 2023 GMT Signature Algorithm: ecdsa-with-SHA256 30:45:02:20:45:c2:eb:e2:54:23:2a:c5:49:47:c2:f0:0b:cf: 8d:06:6d:17:62:26:2e:4a:ba:8e:cd:61:bf:dd:af:e8:ea:cb: 02:21:00:94:bd:5c:33:e7:ac:20:50:d4:15:45:9e:d8:8d:75: 1a:fb:c5:95:5f:11:c7:b2:88:47:0a:5b:56:d0:3c:89:b5 WARNING: no nonce in response Response verify OK certificate.pem: good This Update: Apr 26 00:39:01 2023 GMT Next Update: May 2 23:54:01 2023 GMT
OpenSSL OCSP Commands Documentation
Online Certificate Status Protocol command
Recent Comments