The OCSP, or Online Certificate Status Protocol, is a protocol designed to deliver the revocation status of an X.509 SSL or TLS certificate. In theory, it is more performant than its CRL (Certificate Revocation List) alternative. Responses are required to be delivered by the CA (Certification Authority) that issued the certificate who’s revocation is in question. These responses by CA’s are generated from OCSP responders from an OCSP server, and are required by the CA/Browser Forum baseline requirements.
What is OCSP Stapling?
OCSP stapling is a standard for the presenter of the certificate to provide the response in the initiation of the TLS handshake. This improves both performance and security by removing the dependency on the client to contact the CA for the response.
OCSP Must Staple
Must-Staple is a flag set by your CA in the SSL certificate they issued you. If the flag is set and an OCSP response is not sent, browsers should hard fail.
OCSP vs CRL
OCSP responses deliver a smaller amount of data than a CRL check. CRLs return revocation status for all revoked certificates, and in the world of mass revocations it’s possible for these lists to become huge.
The downside of an OCSP response is that it may leak data about internet traffic of a host.
OCSP responders typically run on port 80 and because they send signed responses, the data does not need to be transmitted over https. While OCSP responders do not have to run on port 80, if an alternate port is used, the certificate containing the OCSP responder definition must list the correct port.
The openssl ocsp command and utility can print out OCSP requests and responses as well as create requests and query an OCSP repsonder and OCSP test. It can also act as an OCSP server or responder itself.
openssl ocsp examples:
Manually check revocation status of certificate from OCSP:
To check revocation for the SSL certificate installed on a web server, first get the certificate. This this example, we’ll use openssl s_client to connect and fetch the certificate.
openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > example.com.pem
Next, use the openssl x509 utility to find the OCSP URL to test against.
openssl x509 -noout -ocsp_uri -in example.com.pem
The OCSP test will require the certificate chain as well. Using openssl s_client, connect and download the chain and copy the PEM certs to a file named chain.pem.
openssl s_client -connect example.com:443 -showcerts 2>&1 < /dev/null
Finally, send the OCSP request to the responder.
openssl ocsp -issuer chain.pem -cert example.com.pem -text -url http://ocsp.digicert.com
This example covers the basic use case of manually checking the revocation status of a certificate from a consumer’s standpoint. Let us know in the comments if you would like more examples of how to use the openssl ocsp command and utility.