由于近期zerossl存在漏洞,导致部分商家利用该漏洞贩卖证书,为了方便校验证书是否被吊销,故编写本文档。
操作步骤
证书有效的
[root@lolicp ~]# openssl ocsp -issuer ca_bundle.crt -VAfile ca_bundle.crt -cert certificate.crt -header "Host" "zerossl.ocsp.sectigo.com" -url http://zerossl.ocsp.sectigo.com -no_nonce
Response verify OK
certificate.crt: good
This Update: Jun 5 00:16:16 2024 GMT
Next Update: Jun 12 00:16:15 2024 GMT证书被吊销
[root@lolicp ~]# openssl ocsp -issuer ca_bundle.crt -VAfile ca_bundle.crt -cert certificate.crt -header "Host" "zerossl.ocsp.sectigo.com" -url http://zerossl.ocsp.sectigo.com -no_nonce
Response verify OK
certificate.crt: revoked
This Update: Jun 4 17:05:18 2024 GMT
Next Update: Jun 11 17:05:17 2024 GMT
Revocation Time: May 29 10:47:03 2024 GMT使用序列号查询
[root@lolicp ~]# openssl ocsp -issuer ca_bundle.crt -VAfile ca_bundle.crt -serial "0x5218368E57A7EE08C9364668ECDF5C2F" -header "Host" "zerossl.ocsp.sectigo.com" -url http://zerossl.ocsp.sectigo.com -no_nonce
Response verify OK
0x5218368E57A7EE08C9364668ECDF5C2F: good
This Update: Jun 5 00:16:16 2024 GMT
Next Update: Jun 12 00:16:15 2024 GMT参考文档:
https://community.letsencrypt.org/t/ocsp-requests-via-openssl-not-working/37798
https://community.letsencrypt.org/t/fetching-standalone-ocsp-result-does-not-work/46566/2
https://www.ssl247.com/knowledge-base/detail/internal-openssl-manually-verify-a-certificate-against-an-ocsp-server/ka01n000000odi4qai/
在线检查是否吊销:https://myssl.com/ocsp_check.html