How do I check if my SSL certificates have been revoked
Solution 1
Get the ocsp url from your cert:
$ openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem
http://ocsp.int-x1.letsencrypt.org/
$
Send a request to the ocsp server to check if the cert is revoked or not:
$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
This Update: Oct 29 10:00:00 2015 GMT
Next Update: Nov 5 10:00:00 2015 GMT
$
this is a good cert.
This is a revoked cert:
$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain3.pem -cert /etc/letsencrypt/archive/31337.it/cert3.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
This Update: Oct 29 12:00:00 2015 GMT
Next Update: Nov 5 12:00:00 2015 GMT
Revocation Time: Oct 29 12:33:57 2015 GMT
$
Solution 2
You can use certutil on Windows:
If you have a certificate and want to verify its validity, perform the following command:
certutil -f –urlfetch -verify [FilenameOfCertificate]
For example, use
certutil -f –urlfetch -verify mycertificatefile.cer
Source / More info: TechNet
Additionally, be sure to check with your CA. Just because you rekey the cert / get a new one, does not mean they automatically revoke it!
Solution 3
You can use this SSLLabs service to test SSL certificates, but you need them to be accessible from web. Moreover you can find out some more information, cause this service provide some audit.
Solution 4
If you have revoked the certificates through the CA that generated them then they would have made it to OCSP and CRLs.
If you would like to make sure that that is the case, then please extract the ocsp url from the certificate and then construct a ocsp request to that url including the certificate serial number, the ca issuer cert and retrieve the ocsp response and then one could parse it to check and confirm that it is indeed revoked.
More details at this useful page: http://backreference.org/2010/05/09/ocsp-verification-with-openssl/
Note: this requires usage of openssl library.
Edit1: I see that you have added information on OCSP and CRL explicitly after this answer.
Related videos on Youtube
01 : 00
03 : 21
06 : 40
03 : 05
02 : 30
sridhar pandurangiah
Updated on September 18, 2022Comments
-
sridhar pandurangiah almost 2 years
The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates.
I have two certificates that were generated before the heartbleed vulnerability was discovered. After the SSL issuer told me to regenerate the certificate I have updated both my servers/domains with the new certificates.
If my understanding is correct then the old certificates should have been revoked by the CA and should have made it to the CRL (Certificate revocation List) or the OCSP database (Online Certificate Status Protocol) otherwise it is technically possible for someone to perform a "man in the middle attack" by regenerating the certificates from information picked up from compromised certificates.
Is there a way to check if my old certificates have made it to CRL and OCSP. If they haven't is there a way to get them included?
UPDATE : The situation is that I have already replaced my certificates all I have is the .crt files of the old certificates so using the url to check is not really possible.
-
MichelZ about 10 yearsYou can check using certutil I believe. Have a read here
-
sridhar pandurangiah about 10 yearsI use Ubuntu as my desktop and Centos on my server
-
MichelZ about 10 yearsThen I encourage you to tag your question as such
-
MichelZ about 10 yearsI recommend a read of this for *nix
-
sridhar pandurangiah about 10 years@MichelZ - i have tagged the question with Ubuntu
-
sridhar pandurangiah about 10 yearsSF doesn't allow more than 5 tags. So the Ubuntu tag wasn't saved. Didn't notice when I posted the previous comment.
-
anish almost 6 yearsOnline check 8gwifi.org/ocsp.jsp
-
-
dotancohen about 10 yearsTo install
certutilon Ubuntu server use the commandsudo apt-get install libnss3-tools. This is not obvious as searching the apt-get cache returns no results for the stringcertutil. I know that the OP's server is CentOS, but it is possible that other Ubuntu Server admins will find this question helpful as well. -
MichelZ about 10 yearsMy answer was purely Windows based. I don't know of any *nix implementation of this. See here for a possible *nix solution
-
sridhar pandurangiah about 10 yearsThis requires that the server runs with the old certificate. But having regenerated my certificates all I have is the .crt file of the old certificate.
-
Dan Getz over 8 years@dotancohen While that program is also calledcertutil, it's not the same program ascertutil.exeon Windows, and is not used in the same way. -
sdek about 7 yearsThis worked for me (thanks), but thought I would also mention that in addition the the Revocation Time, my out displayed a Revocation Reason as well, which was helpful when we contacted the issuer trying to figure out what the heck was going on with the cert.
-
reinierpost over 2 yearsThis almost works for me (openssl 1.1.1 on Ubuntu 18.04); I need to replace the space after HOST with an equals sign (
=). (The hostname that follows is fifferent, too.)
