[openssl-users] Question RE certificate chain verification
Walter H.
walter.h at mathemainzel.info
Thu Feb 23 06:09:10 UTC 2017
On Tue, February 21, 2017 12:16, Jakob Curdes wrote:
> Hi, I am new to the list and have a question where it seems I cannot find
> the answer in archives here or in other sources.
>
> We want to verify the certificate chain of an "official" certificate, but
> including the revocation status of the intermediate certs, via CRL or
> OCSP.
> (The chain verification itself is easy and solved, our problems lie just
> with getting the revocation status of an arbitrary certificate).
>
> It seems to turn out that a) this is seldom done completely (otherwise I
> think there would be more "working recipes") and it is not easy to do it
> in a generic way as we keep getting various errors at different steps.
>
> Wtihout making it too long, we want to do the following:
> a) retrieve and save certificate from server via URL
> b)retrieve and save certificate chain from server
> c) determine OCSP URL or CRL list URL
> d1) verify cert against OCSP source OR
> d2) download CRL; then verify cert against CRL
>
> Up to c), everything is straightforward. We use openssl 1.0.1e-60.el7 from
> current CentOS 7.
try this:
CAFILE=/etc/pki/certs/ca-bundle.trust.crt
CERT=/tmp/cert.crt <-- cert to validate
ISSUER=/tmp/issuer.crt <-- issuing ca cert
OCSPURL=$(openssl x509 -in $CERT -noout -ocsp_uri)
OCSPHOST=$(echo "$OCSPURL" |gawk --field-separator=\/ '{ print $3 }' -)
OCSPRESULT=$(openssl ocsp -CAfile $CAFILE -no_nonce -noverify -issuer
$ISSUER -cert $CERT -url "$OCSPURL" -header Host $OCSPHOST |grep "$CERT")
More information about the openssl-users
mailing list