Online Certificate Status Protocol (OCSP)

by Anish

Posted on Sunday August 12, 2018

Referefce

Introduction

This sample chapter extracted from the book, The Modern Cryptograhy CookBook . The Book theme isCryptography is for EveryOne. Learn from Crypto Principle to Applied Cryptography With Practical Example

Get this book on Just $9 by availing coupon discount


In the previous article we have cover the PKI in Nutshell

OCSP stands for the Online Certificate Status Protocol and is one way to validate a certificate status. It is an alternative to the CRL, certificate revocation list.

The OCSP precess is very simple:

  1. Client receives the certificate
  2. Client sends OCSP request to the OCSP server and it query by the serial number of the certificate
  3. OCSP response with a certificate status Good, Revoked or Unknown

Working Demo

  • Get the certificate you want to verify for example 8gwifi.org

      openssl s_client -servername 8gwifi.org -connect 8gwifi.org:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > 8gwifi.pem
    
  • Build the certificate chain

      openssl s_client -servername 8gwifi.org  -connect 8gwifi.com:443 -showcerts 2>&1 < /dev/null > cacert.pem
    

edit the file cacert.pem and add necessary chain certificate, remove any unwanted lines

  • Determine the ocsp URI

      openssl x509 -noout -ocsp_uri -in 8gwifi.pem
      http://ocsp.int-x3.letsencrypt.org
    
  • Invoke the openssl ocsp client

      openssl ocsp -no_nonce -issuer cacert.pem -cert 8gwifi.pem  -VAfile cacert.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host=ocsp.int-x3.letsencrypt.org -respout ocsptest
    

The OCSP Response

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List: 
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 03FF3497BFA5D45C36C511809F9FD5F28C20
OCSP Response Data: 
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Aug  6 08:59:00 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03FF3497BFA5D45C36C511809F9FD5F28C20
     
    Cert Status: good
    This Update: Aug  6 08:00:00 2018 GMT
    Next Update: Aug 13 08:00:00 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption
         39:3d:96:78:44:9f:03:29:bc:83:35:32:1a:d7:6d:05:f9:59:
         63:9e:52:6f:06:8e:9f:74:d1:f9:aa:18:2b:e2:13:61:5a:d1:
         ad:7a:67:9e:2b:a1:12:83:92:92:f3:c0:dc:4b:2a:ee:96:85:
         f0:5b:39:30:2f:17:ed:20:a3:ae:de:c1:41:e1:26:8d:70:c5:
         fe:79:9c:37:7b:b7:75:93:61:f7:5f:8b:7f:6f:99:7a:5a:19:
         a4:e7:4b:41:ad:e5:92:71:44:11:75:67:68:0d:0c:b6:be:ef:
         70:a0:a7:c6:fa:6e:06:08:5a:7c:2e:f0:41:7a:55:a3:21:74:
         89:2c:e5:f9:ab:58:5c:97:1d:89:a8:65:a3:be:f7:0a:e5:5c:
         4f:a9:61:f2:04:d5:f2:18:6b:74:e7:b5:c8:12:db:9c:70:89:
         e7:c6:e3:43:70:18:41:d6:4b:a9:15:94:13:4b:00:75:d2:2a:
         fe:fb:e4:a8:cf:e5:aa:56:d6:e1:91:55:06:d1:33:43:d9:4b:
         82:a6:bc:10:a1:42:d0:e2:49:fe:18:08:44:d4:a7:4f:b6:3f:
         00:95:72:11:d7:e3:14:eb:6b:51:7a:e7:c1:40:42:2e:da:c4:
         be:1a:ce:8c:48:f2:03:ed:c0:93:19:c9:26:93:1e:f0:d2:56:
         bc:70:39:db
 Response verify OK
8gwifi.pem: good
    This Update: Aug  6 08:00:00 2018 GMT 
    Next Update: Aug 13 08:00:00 2018 GMT

Thanku for reading !!! Give a Share for Support

Asking for donation sound bad to me, so i'm raising fund from by offering all my Nine book for just $9



python Cryptography Topics
Topics
For Coffee/ Beer/ Amazon Bill and further development of the project Support by Purchasing, The Modern Cryptography CookBook for Just $9 Coupon Price

Kubernetes for DevOps

Hello Dockerfile

Cryptography for Python Developers

Cryptography for JavaScript Developers

Go lang ryptography for Developers

Here