For the time being, there are two known methods that provide the possibility to check the revocation status of SSL certificates. In other words, it is possible to check whether the certificate is revoked by the Certificate Authority or not.
Those methods are the following:
The following tools are required in order to initiate such a check:
- End-entity SSL certificate (issued to a domain or subdomain)
- Intermediate certificate that signs the end-entity certificate
- URI of the Certificate Authority's OCSP server
URI of the OCSP server can be retrieved from the client’s certificate with the following command: openssl x509 -in cert.crt -noout -ocsp_uri
*where cert.crt is the end-entity certificate issued to your domain or subdomain
Alternatively, the URI can be retrieved by decoding the certificate online at https://decoder.link/result as shown on the screenshot below:
If intermediate certificates are received as a single file (.ca-bundle), it will be necessary to open this file with any text editor, extract the very first certificate from it and save the file with the retrieved certificate as, for example, intermediate.crt.
Once done, a request to the OCSP server can be sent by running the following command:
openssl ocsp -no_nonce -issuer intermediate.crt -cert cert.crt -url [OCSP_URI] -VAfile intermediate.crt
*where cert.crt is the end-entity certificate issued to your domain/subdomain and intermediate.crt is the first intermediate certificate mentioned above
openssl ocsp -no_nonce -issuer COMODORSADomainValidationSecureServerCA.crt -cert cert.crt -url http://ocsp.comodoca.com/ -VAfile COMODORSADomainValidationSecureServerCA.crt
In the example above, a request is sent to the OCSP server in order to check whether the certificate cert.crt is revoked or not. The returned response contains “good”, which means that the certificate is not revoked.
Once the certificate is revoked, the returned response contains “revoked” as on the screenshot below.
This method implies adding revoked certificates to a special list created by the Certificate Authority. To be more specific, the serial number of the end-entity certificate is added by the Certificate Authority to the Certificate Revocation List (CRL).
The following tools are required in order to initiate a check:
- Serial number of the end-entity certificate
- Downloaded certificate revocation list (CRL)
The URL of the CRL is encoded in end-entity certificates. In order to retrieve the URL, the following command can be used: openssl x509 -in cert.crt -noout -text | grep crl
Alternatively, the URL can be retrieved by decoding the certificate online at https://decoder.link/result.
Once you have the URL, download the CRL by running the command as shown below: wget [URL of CRL]
Then, the serial number of the end-entity certificate needs to be retrieved by executing the following command: openssl x509 -in cert.crt -noout -serial
As soon as the serial number is retrieved, it will be possible to check whether or not the certificate is added to the CRL. To perform the check, run the following command:
openssl crl -inform DER -text -in [name of downloaded CRL] | grep [serial number of client's certificate you would like to check]
Example: openssl crl -inform DER -text -in COMODORSADomainValidationSecureServerCA.crl | grep B1B9D6CF7E84F8E11AA7710D48818DD7
If there is no output, it means that certificate is not added to CRL. If the output looks like on the screenshot below, it means that the certificate is added to CRL:
To sum up, both OCSP and CRL methods have advantages and disadvantages.
The advantage of the OCSP method is that the revocation status is reflected within 10 minutes, while for the CRL method, it may take 2-3 days for the Certificate Authority to update the CRL list. Therefore, with the CRL method, the certificate will not be included in the certificate revocation list right away if the certificate is revoked.
The advantage of the CRL method is that this technology is in use by the majority of applications, while the OCSP method is not implemented in a great number of browsers and other clients; also, even if OCSP is implemented, it might be turned off by default.