Online Certificate Status Protocol (OCSP)
by Anish
Posted on Sunday August 12, 2018
Introduction
This sample chapter extracted from the book, The Modern Cryptograhy CookBook . The Book theme isCryptography is for EveryOne. Learn from Crypto Principle to Applied Cryptography With Practical Example
Get this book on Just $9 by availing coupon discount
In the previous article we have cover the PKI in Nutshell
OCSP stands for the Online Certificate Status Protocol and is one way to validate a certificate status. It is an alternative to the CRL, certificate revocation list.
The OCSP precess is very simple:
- Client receives the certificate
- Client sends OCSP request to the OCSP server and it query by the serial number of the certificate
- OCSP response with a certificate status Good, Revoked or Unknown
Working Demo
-
Get the certificate you want to verify for example 8gwifi.org
openssl s_client -servername 8gwifi.org -connect 8gwifi.org:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > 8gwifi.pem -
Build the certificate chain
openssl s_client -servername 8gwifi.org -connect 8gwifi.com:443 -showcerts 2>&1 < /dev/null > cacert.pem
edit the file cacert.pem and add necessary chain certificate, remove any unwanted lines
-
Determine the ocsp URI
openssl x509 -noout -ocsp_uri -in 8gwifi.pem http://ocsp.int-x3.letsencrypt.org -
Invoke the openssl ocsp client
openssl ocsp -no_nonce -issuer cacert.pem -cert 8gwifi.pem -VAfile cacert.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host=ocsp.int-x3.letsencrypt.org -respout ocsptest
The OCSP Response
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03FF3497BFA5D45C36C511809F9FD5F28C20
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Aug 6 08:59:00 2018 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 03FF3497BFA5D45C36C511809F9FD5F28C20
Cert Status: good
This Update: Aug 6 08:00:00 2018 GMT
Next Update: Aug 13 08:00:00 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
39:3d:96:78:44:9f:03:29:bc:83:35:32:1a:d7:6d:05:f9:59:
63:9e:52:6f:06:8e:9f:74:d1:f9:aa:18:2b:e2:13:61:5a:d1:
ad:7a:67:9e:2b:a1:12:83:92:92:f3:c0:dc:4b:2a:ee:96:85:
f0:5b:39:30:2f:17:ed:20:a3:ae:de:c1:41:e1:26:8d:70:c5:
fe:79:9c:37:7b:b7:75:93:61:f7:5f:8b:7f:6f:99:7a:5a:19:
a4:e7:4b:41:ad:e5:92:71:44:11:75:67:68:0d:0c:b6:be:ef:
70:a0:a7:c6:fa:6e:06:08:5a:7c:2e:f0:41:7a:55:a3:21:74:
89:2c:e5:f9:ab:58:5c:97:1d:89:a8:65:a3:be:f7:0a:e5:5c:
4f:a9:61:f2:04:d5:f2:18:6b:74:e7:b5:c8:12:db:9c:70:89:
e7:c6:e3:43:70:18:41:d6:4b:a9:15:94:13:4b:00:75:d2:2a:
fe:fb:e4:a8:cf:e5:aa:56:d6:e1:91:55:06:d1:33:43:d9:4b:
82:a6:bc:10:a1:42:d0:e2:49:fe:18:08:44:d4:a7:4f:b6:3f:
00:95:72:11:d7:e3:14:eb:6b:51:7a:e7:c1:40:42:2e:da:c4:
be:1a:ce:8c:48:f2:03:ed:c0:93:19:c9:26:93:1e:f0:d2:56:
bc:70:39:db
Response verify OK
8gwifi.pem: good
This Update: Aug 6 08:00:00 2018 GMT
Next Update: Aug 13 08:00:00 2018 GMT
Thanku for reading !!! Give a Share for Support
Asking for donation sound bad to me, so i'm raising fund from by offering all my Nine book for just $9
Applied Cryptography Topics
Web Crypto API Topics
Ansible Related Topics
Kubernetes Related Topics
Openstack Articles
Linux Related Topics
python Cryptography Topics
PHP Cryptography Topics
Topics
For Coffee/ Beer/ Amazon Bill and further development of the project Support by Purchasing, The Modern Cryptography CookBook for Just $9 Coupon Price
Kubernetes for DevOps
Hello Dockerfile