网站导航:首页-计算机网络知识-如何利用OpenSSL发起OCSP请求查询证书吊销状态

如何利用OpenSSL发起OCSP请求查询证书吊销状态

  在线证书状态协议(Online Certificate Status Protocol,OCSP)是验证证书吊销状态的两种普遍模式之一。当服务器下发证书后,客户端会向CA服务器发送OCSP请求。服务器回复一个“Good”、“Revoked”或“Unknown”的响应,以得到证书的吊销状态。

  本文将介绍如何利用OpenSSL发起OCSP请求查询证书吊销状态,发起请求之前,我们需要准备如下内容:

  1、您需要安装好OpenSSL程序,如果您尚未安装可以点此下载OpenSSL win64 v1.1.0f

  2、您需要准备PEM格式的证书及其对应的中间证书;

  PEM格式的证书如下,保存为cert.pem

-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISA3RrHPQDtcqS3c8LAGJlzi3OMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMTcwNTAxNTdaFw0x
OTAzMTcwNTAxNTdaMBcxFTATBgNVBAMMDCoucml2YWxzYS5jbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKd7dLvzfv9bcZuOj1BMsS7HxrDcZd0ZZQ6I
pXPu1qu6y1tgRLYktF8z4mAnAnKpELEwNExYlCjJ9KzIBJOn0z8h+Q/su+2IPIDb
kMrM0PI229zMI0/vCSBRCsJDi7Llx1CRfntO7vmWr2tVd63s83iA1CNyNmdrsE1N
QFxt9TAxU79MusWCphULwhrTQx19wIWKIJgeKt5ew6RypAsrE1NPyBz1Y0zAcj/P
FhVl+wxnUvQKFVolu6kxaBEtW4VAfuQ6Ihg70+fCkb/uUnpQwmy6osXle8NvUepp
m4FZeFODhtdDmYCnzDM33Jxuggflfl3W144JTIR+fqIR8Xyv2JsCAwEAAaOCAzww
ggM4MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUh7ZtnIW3TW3yy4ZycmLD6hWf3gcw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzCB8QYDVR0RBIHpMIHmggoqLjQzOTc1LmNughYqLmludmlzaWJsZS5yaXZhbHNh
LmNuggwqLnJpdmFsc2EuY26CDSouc2EtYmxvZy5uZXSCESouc2EtZG93bmxvYWQu
Y29tggsqLnNhbWFpbC5jboIQKi52cHMuc2EtZG5zLmNvbYIZKi54bi0tb2tyYS54
bi0tNnFxOTg2YjN4bIIINDM5NzUuY26CCnJpdmFsc2EuY26CC3NhLWJsb2cubmV0
gg9zYS1kb3dubG9hZC5jb22CCXNhbWFpbC5jboIXeG4tLW9rcmEueG4tLTZxcTk4
NmIzeGwwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggr
BgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5
AgQCBIH1BIHyAPAAdgBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvYjQAA
AWe6wbh2AAAEAwBHMEUCICIhiH54zsWem604jJpe70dX0ztuNkHylLIQG2RLosHM
AiEAvrjFT2YGo+8p+N2I3cxdjaBPNqPoJAdmmqoZ0HYZANIAdgDiaUuuJujpQAno
hhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWe6wbprAAAEAwBHMEUCIQDlLG9cuew1
3a4lomiINsI5PXz0gBx6oVrQUP5VFMIkoQIgew/GXREeGrcNdiJG2YBXNYof+fs6
pOekZVLKSQ6JgT8wDQYJKoZIhvcNAQELBQADggEBAEbv5/8mI7vYDiW5BQKzNvJd
RX49wKHbBAoK2GzihEE5kTQ/7eM7AoOu2KjkhrpOSgNjlMBzCG0FqPoILwvI+i43
vIwn2BNYeBOeMWBpeXkaIl/M3IfdTbJihPwnYwi7dFjMBxHmiGQLlZfGziQkrjqL
AjVmfqjpOENW7d8tGRYi+TwkD7GFr1hT2TS35X9pzItPZx9msVKZfWSF6VbTcB1b
cdxdNSuci/ENYKdIsqj11JcMwiDQ+NGmurwMG25ny1T6k+cpfwY09j2bFXoG38Up
L3gTSTDOjmQlzyKS8zuFYiWk+YgvsGTtzStRUqsZIO7RiA0hvRpdu7QnfD3YBy8=
-----END CERTIFICATE-----

  PEM格式对应的中间证书如下,保存为issuer.pem

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

  3、证书的OCSP地址,如下图所示。

证书的OCSP地址

  有了上面三个信息就可以开始发送请求了。在命令提示符中输入如下命令:

openssl ocsp -issuer issuer.pem -cert cert.pem -text -url http://ocsp.int-x3.letsencrypt.org

  上面命令中的cert.pem是证书文件,issuer.pem是中间证书,最后的地址是证书的OCSP地址,上面命令中用的是相对路径,您也可以使用绝对路径,例如c:\DirName\CertName.pem

  执行后得到的响应如下:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 03746B1CF403B5CA92DDCF0B006265CE2DCE
    Request Extensions:
        OCSP Nonce:
            0410CB5E94B98D34D814BDAF368B4E9B3D09
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Jan 15 16:40:00 2019 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03746B1CF403B5CA92DDCF0B006265CE2DCE
    Cert Status: revoked
    Revocation Time: Jan 15 16:28:55 2019 GMT
    This Update: Jan 15 16:00:00 2019 GMT
    Next Update: Jan 22 16:00:00 2019 GMT

    Signature Algorithm: sha256WithRSAEncryption
         93:eb:d5:8a:92:44:00:56:b9:3c:b6:d6:2e:cc:f8:4a:e1:59:
         70:9c:a8:5b:f8:ec:54:6d:f9:33:99:10:f5:86:60:6e:88:0e:
         cc:31:6a:31:96:40:89:20:cb:cf:f7:35:5a:25:c0:b2:80:5e:
         ef:15:b4:66:bd:8f:57:58:a8:8f:77:c6:f7:5f:a6:6f:44:66:
         66:df:8d:f4:8f:75:f0:66:d9:7c:56:73:e7:30:ea:95:67:b6:
         e1:99:07:34:20:c4:4d:46:ac:16:a3:7e:a2:f7:17:d7:7b:d8:
         02:ae:6a:bf:77:ae:0b:41:e7:f2:54:ad:66:77:bd:0c:a3:3c:
         2f:bd:62:1a:7d:42:8b:39:9f:3e:1c:b6:be:c8:9a:b6:cc:2b:
         20:45:6d:5c:eb:09:9c:2a:d0:f7:d8:f7:f1:49:d2:1a:c4:5c:
         8b:c3:8f:1e:8a:a4:eb:1c:44:77:17:74:0a:75:b3:45:17:e5:
         ab:fe:57:26:35:58:cd:95:03:93:f6:78:93:98:cc:29:27:ae:
         9b:23:33:cf:ea:59:f7:30:6f:d9:8f:ef:ae:fc:57:09:68:68:
         32:69:fe:a0:20:54:b0:15:26:1f:ab:a0:42:93:92:0d:ce:ea:
         cc:ae:f7:b8:b2:57:c1:ab:38:61:dd:f7:22:09:47:fd:70:7a:
         ce:03:6f:2c
WARNING: no nonce in response
Response verify OK
e:\cert.pem: revoked
        This Update: Jan 15 16:00:00 2019 GMT
        Next Update: Jan 22 16:00:00 2019 GMT
        Revocation Time: Jan 15 16:28:55 2019 GMT

  从上面的响应中可以看出这个证书已经被吊销。

  如果您希望得到更简单的响应,可以去掉命令中的-text参数,命令如下:

openssl ocsp -issuer issuer.pem -cert cert.pem -url http://ocsp.int-x3.letsencrypt.org

  执行后得到的响应如下:

WARNING: no nonce in response
Response verify OK
e:\cert.pem: revoked
        This Update: Jan 15 16:00:00 2019 GMT
        Next Update: Jan 22 16:00:00 2019 GMT
        Revocation Time: Jan 15 16:28:55 2019 GMT

已经到本页底线啦,您可以:返回目录页|返回首页