aia

Testing OCSP

Written by georg on Dezember 23, 2015

To test OCSP you need three things: The issuer certificate, the certificate you’d like to check and the path to the OCSP. All this information seems to be slightly redundant, as the certificate itself already contains the information about the OCSP URL and most of the time also the path to the issuer certificate. It would be very nice if openssl would read all this information from the certificate itself, nevertheless you need this three things to do some basic checks.
Get the required information from the AIA and download the issuer certificate:

[1]Authority Info Access
     Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
     Alternative Name:
          URL=http://ocsp.startssl.com/sub/class1/server/ca
[2]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://aia.startssl.com/certs/sub.class1.server.ca.crt

Write the request into a file

openssl ocsp -issuer startssl.cer -cert www.höllrigl.at.cer -no_nonce -url http://ocsp.startssl.com/sub/class1/server/ca -reqout ocsp.req

Convert the request to base64

openssl enc -in ocsp.req -out ocsp.req.b64 -a

The file should look something like this

MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqc
WolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA=

Then you URL encode that file – you might use some free online decoder like http://meyerweb.com/eric/tools/dencoder/ – but here you have to remove the line breaks in advance. Or you do it directly at the shell

tr -d '\n' < ocsp.req.b64 | php -R 'echo urlencode($argn);'

Your output should look something like

MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqcWolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA%3D

Now you can build your request to submit in a webbrowser or using curl at the shell.

curl http://ocsp.startssl.com/sub/class1/server/ca/MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqcWolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA%3D --proxy http://path.to.proxy:8080 > ocsp.resp

With the output file you are able to verify the output with something like

openssl ocsp -respin ocsp.resp -text
OCSP Response Data:
    OCSP Response Status: successful (0x0)
...

Why all this effort, when openssl might do this on it’s own?
Just because openssl won’t work too well in an envrionment where a proxy is required.
The –proxy option seems only to work starting with version openssl 1.1

Alternatively you could also try telnet to connect via a proxy

telnet path.to.proxy 8080
CONNECT ocsp.startssl.com:80 HTTP/1.0
GET /sub/class1/server/ca/MEswSTBHMEUwQzAJBgUrDgMCGgUABAR571c85Prvkggz7EWCVSbdzaAjFQQUFbqcWolwWaxKVTlvLQA1YeCBz7MCChnePRMAAAAArhA%3D

But using curl and writing into a file might be more useful.