It pretty easy, the OpenSSL and CURL manuals make it fairly easy but I thought I would put it all here in a single post for you.
First in these examples I used the certificates from the http://www.globalsign.com site, I saved the www certificate to globalsignssl.crt and its issuer to globalsignssl.crt.
Next you will find a series of commands used to generate both POSTs and GETs for OCSP:
1. Create a OCSP request to work with, this also will produce a POST to the OCSP responder
openssl ocsp -noverify -no_nonce -respout ocspglobalsignca.resp -reqout ocspglobalsignca.req -issuer globalsigng2.cer -cert globalsign.com.cer -url "http://ocsp2.globalsign.com/gsextendvalg2" -header "HOST" "ocsp2.globalsign.com" -text
2. Base64 encode the DER encoded OCSP request
openssl enc -in ocspglobalsignca.req -out ocspglobalsignca.req.b64 -a
3. URL Encode the Base64 blob after removing any line breaks (see: http://meyerweb.com/eric/tools/dencoder/ for a decoder)
4. Copy the Base64 into the URL you will use in your GET
http://ocsp2.globalsign.com/gsextendvalg2/{URL encoded Base64 Here}
5. Do your GET:
curl --verbose --url http://ocsp2.globalsign.com/gsextendvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBSgcg6ganxiAlTyqPWd0nuk87cvpAQUsLBK%2FRx1KPgcYaoT9vrBkD1rFqMCEhEhD0Xjo%2FV7lgq3ziGoWG69rA%3D%3D
If you like you can also re-play the request that was generated with OpenSSL as a POST:
curl --verbose --data-binary @ocspglobalsignca.req -H "Content-Type:application/ocsp-request" --url http://ocsp2.globalsign.com/gsextendvalg2
Pingback: Measuring OCSP Responder Performance with Powershell
Thank you!
Thanks, this is helpful. I’m running into a problem where this works through a reverse proxy into our environment, but both OpenSSL and certutil -url fail. Ideas on how the above style of request is different than typical?
Peter, if I understand correctly your environment uses a SOCKS proxy to gain access to the network where the OCSP server is located and since neither OpenSSL or certutil support that natively you are asking how to run a test in such an environment? If so you probably need to use something like http://proxytunnel.sourceforge.net/
Actually – turned out it was simply a matter of the reverse proxy needing the host header to be present in order to forward it on to the right host and therefore getting a proper response.
Adding the following to the curl line
–header ‘Host: http://www.example.com‘
solved my problem.
Thanks for the pointer to proxytunnel though.
https://certificatetools.com/ocsp_checker makes this extremely quick and simple. It does the check for you, but also provides the OpenSSL command with the certificate and CA chain download for you to run locally if you prefer.
An (almost) one line version of the same thing can be found in https://blobfish.pe/blog/perform-a-get-ocsp-request-in-almost-one-line/.
This post is maybe 8y old, that one is from this month 😉
Thank You!
Pingback: 常见工具 - PKI.WIKI