OpenSSL Certificate Verification Using CRL
Environment
- Debian 9.7 x64
- OpenSSL 1.1.0j 20 Nov 2018
Excerpt
Log 2019 / 06
1. Download a certificate to inspect
openssl s_client -connect amazon.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' > ee_amazon.pem
root@athos:~# openssl s_client -connect amazon.com:443 2>&1 < /dev/null | \
> sed -n '/-----BEGIN/,/-----END/p' > ee_amazon.pem
2. Locate CRL url
openssl x509 -in ee_amazon.pem -noout -text | \
grep -A 4 'X509v3 CRL Distribution Points'
root@athos:~# openssl x509 -in ee_amazon.pem -noout -text | \
> grep -A 4 'X509v3 CRL Distribution Points'
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/DigiCertGlobalCAG2.crl
3. Download the CRL
wget -qO crl_amazon.der http://crl3.digicert.com/DigiCertGlobalCAG2.crl
root@athos:~# wget -qO crl_amazon.der http://crl3.digicert.com/DigiCertGlobalCAG2.crl
4. Convert CRL DER encoded to CRL PEM encoded
openssl crl -in crl_amazon.der -inform DER \
-out crl_amazon.pem -outform PEM
root@athos:~# openssl crl -in crl_amazon.der -inform DER \
> -out crl_amazon.pem -outform PEM
5. Download all certificates
openssl s_client -connect amazon.com:443 \
-showcerts 2>&1 < /dev/null > all_amazon.tmp
root@athos:~# openssl s_client -connect amazon.com:443 \
> -showcerts 2>&1 < /dev/null > all_amazon.tmp
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global CA G2
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.peg.a2z.com
verify return:1
DONE
6. Extract certificates chain
6.1. Using Bash
OLDIFS=$IFS; \
IFS=':' certificates=$(openssl s_client -connect amazon.com:443 \
-showcerts -tlsextdebug -tls1 2>&1 </dev/null | \
sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); \
for certificate in ${certificates#:}; do echo $certificate | \
tee -a all_amazon.pem ; done; IFS=$OLDIFS
6.2. Using Python
cat <<EOF > get_certificate.py
#!/usr/bin/env python
'''
example:
python3 get_certificate.py all_amazon.tmp 1,2
python3 get_certificate.py all_amazon.tmp 1
'''
import sys
filename = sys.argv[1]
levels = sys.argv[2].split(',')
strip_levels = [int(i.strip()) for i in levels]
lines, begin, end = [], [], []
def get_certificates(levels):
for i in levels:
print_certificate(i)
def print_certificate(set):
for i in range(begin[set], end[set] + 1):
print(lines[i], end='')
with open(filename, 'r') as f:
lines = f.readlines()
for i, reader in enumerate(lines):
if reader == '-----BEGIN CERTIFICATE-----\n':
begin.append(i)
elif reader == '-----END CERTIFICATE-----\n':
end.append(i)
get_certificates(strip_levels)
EOF
root@athos:~# cat <<EOF > get_certificate.py
> #!/usr/bin/env python
>
> '''
> example:
> python3 get_certificate.py all_amazon.tmp 1,2
> python3 get_certificate.py all_amazon.tmp 1
> '''
>
> import sys
>
> filename = sys.argv[1]
> levels = sys.argv[2].split(',')
> strip_levels = [int(i.strip()) for i in levels]
>
> lines, begin, end = [], [], []
>
>
> def get_certificates(levels):
> for i in levels:
> print_certificate(i)
>
>
> def print_certificate(set):
> for i in range(begin[set], end[set] + 1):
> print(lines[i], end='')
>
>
> with open(filename, 'r') as f:
> lines = f.readlines()
>
> for i, reader in enumerate(lines):
> if reader == '-----BEGIN CERTIFICATE-----\n':
> begin.append(i)
> elif reader == '-----END CERTIFICATE-----\n':
> end.append(i)
>
> get_certificates(strip_levels)
> EOF
python3 get_certificate.py all_amazon.tmp 1 > ica_amazon.pem \
#(1=Intermediate, 2=Root)
root@athos:~# python3 get_certificate.py all_amazon.tmp 1 > ica_amazon.pem \
> #(1=Intermediate, 2=Root)
7. Concatenate CRL and certificate chain
root@athos:~# cat crl_amazon.pem ica_amazon.pem > crl+ica_amazon.pem
8. Verification
root@athos:~# openssl verify -crl_check -CAfile crl+ica_amazon.pem ee_amazon.pem
amazon.pem: OK