Skip to main content Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

OpenSSL: Manually verify a certificate against a CRL

Published: 22-03-2015 | Author: Remy van Elst | Text only version of this article

❗ This post is over nine years old. It may no longer be up to date. Opinions may have changed.

This article shows you how to manually verfify a certificate against a CRL. CRL stands for Certificate Revocation List and is one way to validate a certificate status. It is an alternative to the OCSP, Online Certificate Status Protocol.

You can read more about CRL's on Wikipedia.

If you want to validate a certificate against an OCSP, see my article on that here.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

We will be using OpenSSL in this article. I'm using the following version:

$ openssl version
OpenSSL 1.0.2 22 Jan 2015

Get a certificate with a CRL

First we will need a certificate from a website. I'll be using Wikipedia as an example here. We can retreive this with the following openssl command:

openssl s_client -connect 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p'

Save this output to a file, for example, wikipedia.pem:

openssl s_client -connect 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > wikipedia.pem

Now, check if this certificate has an CRL URI:

openssl x509 -noout -text -in wikipedia.pem | grep -A 4 'X509v3 CRL Distribution Points'
X509v3 CRL Distribution Points: 
    Full Name:

If it does not give any output, the certificate has no CRL URI. You cannot valdiate it against a CRL.

Download the CRL:

wget -O crl.der

The CRL will be in DER (binary) format. The OpenSSL command needs it in PEM (base64 encoded DER) format, so convert it:

openssl crl -inform DER -in crl.der -outform PEM -out crl.pem

Getting the certificate chain

It is required to have the certificate chain together with the certificate you want to validate. So, we need to get the certificate chain for our domain, Using the -showcerts option with openssl s_client, we can see all the certificates, including the chain:

openssl s_client -connect -showcerts 2>&1 < /dev/null

Results in a lot of output, but what we are interested in is the following:

 1 s:/C=US/O=DigiCert Inc/ High Assurance CA-3
   i:/C=US/O=DigiCert Inc/ High Assurance EV Root CA

As you can see, this is number 1. Number 0 is the certificate for Wikipedia, we already have that. If your site has more certificates in its chain, you will see more here. Save them all, in the order OpenSSL sends them (as in, first the one which directly issued your server certificate, then the one that issues that certificate and so on, with the root or most-root at the end of the file) to a file, named chain.pem.

You can use the following command to save all the certificates OpenSSL command returns to a file named chain.pem. See [this article for more information)[ - Get all certificates from a website in plain text.html).

OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | tee -a chain.pem ; done; IFS=$OLDIFS 

Combining the CRL and the Chain

The Openssl command needs both the certificate chain and the CRL, in PEM format concatenated together for the validation to work. You can omit the CRL, but then the CRL check will not work, it will just validate the certificate against the chain.

cat chain.pem crl.pem > crl_chain.pem

OpenSSL Verify

We now have all the data we need can validate the certificate.

$ openssl verify -crl_check -CAfile crl_chain.pem wikipedia.pem 
wikipedia.pem: OK

Above shows a good certificate status.

Revoked certificate

If you have a revoked certificate, you can also test it the same way as stated above. The response looks like this:

$ openssl verify -crl_check -CAfile crl_chain.pem revoked-test.pem 
revoked-test.pem: OU = Domain Control Validated, OU = PositiveSSL, CN =
error 23 at 0 depth lookup:certificate revoked

You can test this using the certificate and chain on the Verisign revoked certificate test page: .

Tags: articles , certificate , crl , ocsp , openssl , shell , ssl , tls