I'm trying to check the revocation of certificates in a script but I'm getting the following error:
unable to load certificate
140735258465104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Here are the steps (using www.google.com as an example).
fetch the certificate
$ echo 'Q' | openssl s_client -connect www.google.com:443 > google.crtextract the URI of the issuer
$ openssl x509 -in google.crt -text -noout | grep 'CA Issuers' | \
sed -e "s/^.*CA Issuers - URI://this gives
http://pki.google.com/GIAG2.crtfetch the issuer certificate
$ curl --silent http://pki.google.com/GIAG2.crt > issuer.crtextract the OCSP URI
$ openssl x509 -in google.crt -ocsp_uri -nooutthis gives
http://clients1.google.com/ocsp
And now the final step:
$ openssl ocsp -no_nonce -issuer issuer.crt -cert google.crt \
-url http://clients1.google.com/ocsp
unable to load certificate
140735258465104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
What am I doing wrong?
EDIT
I just saw that http://pki.google.com/GIAG2.crt is in DER format. Converting it to PEM with
$ openssl x509 -inform DER -outform PEM -in issuer.der -out issuer.pem
brings me one step further, but
$ openssl ocsp -no_nonce -issuer issuer.pem -cert google.crt \
-url http://clients1.google.com/ocsp
Error querying OCSP responder
140735258465104:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=404,Reason=Not Found
The error kind of makes sense since http://clients1.google.com/ocsp delivers a 404 but the URL is the one stored in the original certificate ...
The next question will also be how to automatically detect the format of the issuer certificate but I could use file and see if the file is binary or ASCII.
Aucun commentaire:
Enregistrer un commentaire