samedi 29 novembre 2014

openssl and OCSP


I am trying to check the revocation of certificates in a script but I get the following error:



unable to load certificate
140735258465104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE


Here the steps (using www.google.com as an example)




  1. fetch the certificate



    echo 'Q' | openssl s_client -connect www.google.com:443 > google.crt



  2. extract the URI of the issuer



    openssl x509 -in google.crt -text -noout | grep 'CA Issuers' | sed -e "s/^.*CA Issuers - URI://


    this gives http://pki.google.com/GIAG2.crt




  3. fetch the issuer certificate



    curl --silent http://pki.google.com/GIAG2.crt > issuer.crt



  4. extract the OCSP URI



    openssl x509 -in google.crt -ocsp_uri -noout


    this gives http://clients1.google.com/ocsp




And now the final step:



$ openssl ocsp -no_nonce -issuer issuer.crt -cert google.crt -url http://clients1.google.com/ocsp
unable to load certificate
140735258465104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE


What am I doing wrong?



Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)