To test OCSP you need three things: The issuer certificate, the certificate you’d like to check and the path to the OCSP. All this information seems to be slightly redundant, as the certificate itself already contains the information about the OCSP URL and most of the time also the path to the issuer certificate. It would be very nice if openssl would read all this information from the certificate itself, nevertheless you need this three things to do some basic checks.
Get the required information from the AIA and download the issuer certificate:
[1]Authority Info Access Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) Alternative Name: URL=http://ocsp.startssl.com/sub/class1/server/ca [2]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://aia.startssl.com/certs/sub.class1.server.ca.crt
Write the request into a file
openssl ocsp -issuer startssl.cer -cert www.höllrigl.at.cer -no_nonce -url http://ocsp.startssl.com/sub/class1/server/ca -reqout ocsp.req
Convert the request to base64
openssl enc -in ocsp.req -out ocsp.req.b64 -a
The file should look something like this
MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqc WolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA=
Then you URL encode that file – you might use some free online decoder like http://meyerweb.com/eric/tools/dencoder/ – but here you have to remove the line breaks in advance. Or you do it directly at the shell
tr -d '\n' < ocsp.req.b64 | php -R 'echo urlencode($argn);'
Your output should look something like
MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqcWolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA%3D
Now you can build your request to submit in a webbrowser or using curl at the shell.
curl http://ocsp.startssl.com/sub/class1/server/ca/MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqcWolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA%3D --proxy http://path.to.proxy:8080 > ocsp.resp
With the output file you are able to verify the output with something like
openssl ocsp -respin ocsp.resp -text OCSP Response Data: OCSP Response Status: successful (0x0) ...
Why all this effort, when openssl might do this on it’s own?
Just because openssl won’t work too well in an envrionment where a proxy is required.
The –proxy option seems only to work starting with version openssl 1.1
Alternatively you could also try telnet to connect via a proxy
telnet path.to.proxy 8080 CONNECT ocsp.startssl.com:80 HTTP/1.0 GET /sub/class1/server/ca/MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqcWolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA%3D
But using curl and writing into a file might be more useful.