Skip to content

Instantly share code, notes, and snippets.

@odellt

odellt/manual-certificate-checking.md

Last active November 23, 2021 10:57
Show Gist options
  • Save odellt/a74ad2b44e6d63779306370c49e3f55d to your computer and use it in GitHub Desktop.
Save odellt/a74ad2b44e6d63779306370c49e3f55d to your computer and use it in GitHub Desktop.
Download ZIP
Steps using openssl to check a certificates signature and revocation status
Raw
manual-certificate-checking.md

Manual Certificate Checking

Verify Signature

  1. Grab certificate content
  2. Enter content on the site: https://certlogik.com/decoder/
  3. This will convert it to PEM encoding, save as cert.pem
  4. Get the issuer and root certificates in PEM format and save as issuer.pem and root.pem
  5. Create a chain.pem file, adding the issuer.pem content followed by the root.pem content
  6. Verify the issuer.pem signature: openssl verify -CAfile root.pem issuer.pem
  7. Verify the cert.pem signature with openssl verify -CAfile chain.pem cert.pem

Verify OCSP

  1. Extract the OCSP URL from the certificate openssl x509 -noout -ocsp_uri -in cert.pem This should output a URL, e.g. http://ocsp-check.com.

  2. Validate the OCSP response with the command below, replacing {OCSP_URL} with the result from Step 1 openssl ocsp -CAfile chain.pem -issuer chain.pem -cert cert.pem -url {OCSP_URL} If all is well, the output should read:

    openssl ocsp -CAfile chain.pem -issuer chain.pem -cert cert.pem -url {OCSP_URL}
# Should print:
#
# Response verify OK
# ncert.pem: good
 # This Update: Jan  6 12:45:36 2021 GMT
 # Next Update: Jan  8 12:45:36 2021 GMT

  3. Repeat these steps for each certificate in the chain.

Verify CRL

  1. Retrieve the CRL for the certificate openssl x509 -noout -text -in cert.pem | grep -A 4 'X509v3 CRL Distribution Points' From the output grab the CRL URL, e.g. http://crl.qtsp.com/qtsp.crl

  2. Download that CRL with the command below, replacing {CRL_URL} with the result from Step 1 wget {CRL_URL} -O cert-crl.crl For example wget http://crl.qtsp.com/qtsp.crl -O cert-crl.crl

  3. Convert the downloaded CRL to PEM format with the command below openssl crl -inform DER -in cert-crl.crl -outform PEM -out cert-crl.pem

  4. Combine the CRL and the certificate chain with the command below cat chain.pem cert-crl.pem > cert-crl-chain.pem

  5. Verify the certificate against the CRL with the command below

    openssl verify -crl_check -CAfile cert-crl-chain.pem cert.pem
# Should print:
#
# cert.pem: OK

TODO

The following are tasks that could be done to improve this document

  • Add steps for getting issuer certificates
  • Add steps for converting DER -> PEM
  • Add better steps for converting base64 -> PEM that don't rely on a third party site
  • Add steps for getting certificate details (openssl x509 -text) to get issuer details, check for expiry, and anything else that might be interesting
  • Add examples of bad output and what is meant
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment