Check SSL Certificate Revocation – How to Verify

crlheartbleedlinuxocspssl

The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates.

I have two certificates that were generated before the heartbleed vulnerability was discovered. After the SSL issuer told me to regenerate the certificate I have updated both my servers/domains with the new certificates.

If my understanding is correct then the old certificates should have been revoked by the CA and should have made it to the CRL (Certificate revocation List) or the OCSP database (Online Certificate Status Protocol) otherwise it is technically possible for someone to perform a "man in the middle attack" by regenerating the certificates from information picked up from compromised certificates.

Is there a way to check if my old certificates have made it to CRL and OCSP. If they haven't is there a way to get them included?

UPDATE : The situation is that I have already replaced my certificates all I have is the .crt files of the old certificates so using the url to check is not really possible.

Best Answer

Get the ocsp url from your cert:

$ openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem
http://ocsp.int-x1.letsencrypt.org/
$

Send a request to the ocsp server to check if the cert is revoked or not:

$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 10:00:00 2015 GMT
        Next Update: Nov  5 10:00:00 2015 GMT
$

this is a good cert.

This is a revoked cert:

$  openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain3.pem -cert /etc/letsencrypt/archive/31337.it/cert3.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 12:00:00 2015 GMT
        Next Update: Nov  5 12:00:00 2015 GMT
        Revocation Time: Oct 29 12:33:57 2015 GMT
$

Related Solutions

Windows – Diagnosing Certificate Revocation Check Failure

The certutil.exe has a relatively new option, called -downloadocsp which you can use to verify the OCSP responses.

In a command prompt, create two folders, called certs and results.
Place your Exchange server certificates in the certs folder. If your using OCSP to check the CA certificate too, place a copy of the CA certificate in that folder.
Run certutil -downloadocsp certs results downloadonce. This will create a .ocsp file within results for each response.
Finally, run certutil results\????.ocsp to view each response as plaintext.

The above is from Mark Cooper's brilliant website.

OCSP – How Does OCSP Handle Deleted Certificates?

Will the Microsoft OCSP Responder validate the serial number against the CA database as well as its revocation status?

by default, Microsoft OCSP will report such serial number as "Good". Starting with Windows Server 2008 R2, a deterministic OCSP response functionality is added to Microsoft OCSP. In short, CA publish all serial numbers of ever issued certificates and OCSP is configured to look into this directory as well. New behavior does the following:

if serial number does not exist in the folder, OCSP responds with UNKNOWN status. This means that requested serial number was never issued by CA
if serial number exist in the folder, a CRL is checked
if serial is listed in CRL, respond with REVOKED status and respond with GOOD otherwise.

More details on Microsoft KB: The Online Responder service does not return a deterministic GOOD for all certificates not included in the CRL

The KB contains a script which dumps all serial numbers of issued certificates into configured folder. However the script is a bit flawed. It exports only serials that exist in CA database at script execution time. CA database is maintained and old entries are deleted to prevent CA database overgrow. This will lead to false-positive UNKNOWN status on deleted certs although the cert was issued and exist somewhere in the wild. I prefer to keep everything issued regardless of CA maintenance and respond with GOOD even if cert was deleted from CA. To address this flaw, I would recommend to remove these lines from the script:

dir | foreach {
    remove-item $_ -force
}

this will keep serial numbers that no longer exist on CA between script runs.

Best Answer

Related Solutions

Windows – Diagnosing Certificate Revocation Check Failure

OCSP – How Does OCSP Handle Deleted Certificates?

Related Topic