Commit 846ec829 authored by Chris Hines's avatar Chris Hines
Browse files

Initial commit

parents
Scripts using openssl to check the status of certificates
```
check_ocsp.sh beta.cloud.cvl.org.au
```
check_ocsp uses OCSP (suprise!!!) to verify that the certificates have not been revoked. I think this is prefered to using CRLs
To confuse matters, I think Firefox and Safari use OCSP every time they visit a site, but Chrome does not (it uses something called CRLSets)
#!/bin/bash
ICA="cert-2.crt"
echo "" | openssl s_client -connect $1:443 -showcerts 2>/dev/null | awk '/BEGIN/ { i++; } /BEGIN/, /END/ { print > "cert-" i ".crt" }'
crlurl=$( openssl x509 -in $ICA -noout -text | grep crl | tr -d '[:space:]' | cut -c 5- )
curl $crlurl | openssl crl -inform DER -in - -outform PEM -out crl.pem
cat crl.pem cert*.crt > crl_chain.pem
openssl verify -crl_check -CAfile crl_chain.pem $ICA
#OCSP was harder than CRLs. LetsEncrypt has stoped usign OCSP anyway ...
#ls cert*crt | xargs -I{} sh -c 'openssl x509 -in {} -noout -dates -serial -subject ; echo "------------------"'
#serial=$( openssl x509 -in $ICA -noout -serial 2>/dev/null | cut -f 2 -d =)
#root=$( openssl x509 -in $ICA -noout -issuer 2>/dev/null | cut -c 9-)
#echo $serial
#echo "root $root"
#rootpem=$( find /etc/ssl/certs -exec sh -c "echo {} ; openssl x509 -in {} -noout -subject 2>/dev/null | cut -c 9- " \; | grep -B 1 "$root" | head -n 1)
#echo openssl ocsp -nonce -noverify -issuer $rootpem -serial 0x${serial} -url http://ocsp.quovadisglobal.com
#openssl ocsp -nonce -noverify -issuer $rootpem -serial 0x${serial} -url http://ocsp.quovadisglobal.com | head -n 1
#openssl ocsp -nonce -noverify -issuer $rootpem -serial 0x${serial} -url http://r3.o.lencr.org | head -n 1
#rm *crt
#!/bin/bash
echo "" | openssl s_client -connect $1:443 -showcerts 2>/dev/null | awk '/BEGIN/ { i++; } /BEGIN/, /END/ { print > "cert-" i ".crt" }'
for CERT in `ls cert*crt`
do
echo -e "\n\n\n"
echo "testing $CERT"
subject=$( openssl x509 -in $CERT -noout -subject 2>/dev/null | cut -f 2- -d =)
echo "subject $subject"
serial=$( openssl x509 -in $CERT -noout -serial 2>/dev/null | cut -f 2 -d =)
issuer=$( openssl x509 -in $CERT -noout -issuer 2>/dev/null | cut -c 9-)
echo "issuer $issuer"
rootpem=$( find /etc/ssl/certs . -exec sh -c "echo {} ; openssl x509 -in {} -noout -subject 2>/dev/null | cut -c 9- " \; | grep -B 1 "$issuer" | head -n 1 )
rootpem=$( echo -e $rootpem | head -n 1)
echo "root pem $rootpem"
ocsp_uri=$( openssl x509 -noout -ocsp_uri -in $CERT )
echo "ocsp_uri $ocsp_uri"
if [ -z "$ocsp_uri" ]
then
echo "no ocsp uri for $subject"
else
openssl ocsp -nonce -noverify -issuer $rootpem -serial 0x${serial} -url $ocsp_uri
fi
done
rm cert*crt
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment