Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

OpenSSL: Manually verify a certificate against a CRL

Published: 22-03-2015 | Author: Remy van Elst | Text only version of this article


Table of Contents


This article shows you how to manually verfify a certificate against a CRL. CRLstands for Certificate Revocation List and is one way to validate a certificatestatus. It is an alternative to the OCSP, Online Certificate Status Protocol.

You can read more about CRL's on Wikipedia.

If you want to validate a certificate against an OCSP, see my article on thathere.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

We will be using OpenSSL in this article. I'm using the following version:

$ openssl versionOpenSSL 1.0.2 22 Jan 2015

Get a certificate with a CRL

First we will need a certificate from a website. I'll be using Wikipedia as anexample here. We can retreive this with the following openssl command:

openssl s_client -connect wikipedia.org:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p'

Save this output to a file, for example, wikipedia.pem:

openssl s_client -connect wikipedia.org:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > wikipedia.pem

Now, check if this certificate has an CRL URI:

openssl x509 -noout -text -in wikipedia.pem | grep -A 4 'X509v3 CRL Distribution Points'X509v3 CRL Distribution Points:     Full Name:      URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl

If it does not give any output, the certificate has no CRL URI. You cannotvaldiate it against a CRL.

Download the CRL:

wget -O crl.der http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl

The CRL will be in DER (binary) format. The OpenSSL command needs it in PEM(base64 encoded DER) format, so convert it:

openssl crl -inform DER -in crl.der -outform PEM -out crl.pem

Getting the certificate chain

It is required to have the certificate chain together with the certificate youwant to validate. So, we need to get the certificate chain for our domain,wikipedia.org. Using the -showcerts option with openssl s_client, we cansee all the certificates, including the chain:

openssl s_client -connect wikipedia.org:443 -showcerts 2>&1 < /dev/null

Results in a lot of output, but what we are interested in is the following:

 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA-----BEGIN CERTIFICATE-----MIIGWDCCBUCgAwIBAgIQCl8RTQNbF5EX0u/UA4w/OzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENBMB4XDTA4MDQwMjEyMDAwMFoXDTIyMDQwMzAwMDAwMFowZjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2UgQ0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdRCPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcvKEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAszPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d32duXvsCAwEAAaOCAvowggL2MA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0wggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSMEGDAWgBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUBINTeeZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAB7ipUiebNtTOA/vphoqrOIDQ+2avD6OdRvw/S4iWawTwGHi5/rpmc2HCXVUKL9GYNy+USyS8xuRfDEIcOI3ucFbqL2jCwD7GhX9A61YasXHJJlIR0YxHpLvtF9ONMeQvzHB+LGEhtCcAarfilYGzjrpDq6XdF3XcZpCdF/ejUN83ulV7WkAywXgemFhM9EZTfkI7qA5xSU1tyvED7Ld8aW3DiTEJiiNeXf1L/BXunwH1OH8zVowV36GEEfdMR/X/KLCvzB8XSSq6PmuX2p0ws5rs0bYIb4p1I5eFdZCSucyb6Sxa1GDWL4/bcf72gMhy2oWGU4K8K2Eyl2Us1p292E=-----END CERTIFICATE-----

As you can see, this is number 1. Number 0 is the certificate for Wikipedia, wealready have that. If your site has more certificates in its chain, you will seemore here. Save them all, in the order OpenSSL sends them (as in, first the onewhich directly issued your server certificate, then the one that issues thatcertificate and so on, with the root or most-root at the end of the file) to afile, named chain.pem.

You can use the following command to save all the certificates OpenSSL commandreturns to a file named chain.pem. See [this article for moreinformation)[https://raymii.org/s/articles/OpenSSL - Get all certificatesfrom a website in plain text.html).

OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect wikipedia.org:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | tee -a chain.pem ; done; IFS=$OLDIFS 

Combining the CRL and the Chain

The Openssl command needs both the certificate chain and the CRL, in PEM formatconcatenated together for the validation to work. You can omit the CRL, but thenthe CRL check will not work, it will just validate the certificate against thechain.

cat chain.pem crl.pem > crl_chain.pem

OpenSSL Verify

We now have all the data we need can validate the certificate.

$ openssl verify -crl_check -CAfile crl_chain.pem wikipedia.pem wikipedia.pem: OK

Above shows a good certificate status.

Revoked certificate

If you have a revoked certificate, you can also test it the same way as statedabove. The response looks like this:

$ openssl verify -crl_check -CAfile crl_chain.pem revoked-test.pem revoked-test.pem: OU = Domain Control Validated, OU = PositiveSSL, CN = xs4all.nlerror 23 at 0 depth lookup:certificate revoked

You can test this using the certificate and chain on the Verisign revokedcertificate test page: .

Tags: articles, certificate, crl, ocsp, openssl, shell, ssl, tls