How to do OCSP requests using OpenSSL and CURL

 

It pretty easy, the OpenSSL and CURL manuals make it fairly easy but I thought I would put it all here in a single post for you.

First in these examples I used the certificates from the http://www.globalsign.com site, I saved the www certificate to globalsignssl.crt and its issuer to globalsignssl.crt.

Next you will find a series of commands used to generate both POSTs and GETs for OCSP:

1. Create a OCSP request to work with, this also will produce a POST to the OCSP responder

openssl ocsp -noverify -no_nonce -respout ocspglobalsignca.resp -reqout ocspglobalsignca.req -issuer globalsigng2.cer -cert globalsign.com.cer -url "http://ocsp2.globalsign.com/gsextendvalg2" -header "HOST" "ocsp2.globalsign.com" -text

2. Base64 encode the DER encoded OCSP request

openssl enc -in ocspglobalsignca.req -out ocspglobalsignca.req.b64 -a

3. URL Encode the Base64 blob after removing any line breaks (see: http://meyerweb.com/eric/tools/dencoder/ for a decoder)

4. Copy the Base64 into the URL you will use in your GET

http://ocsp2.globalsign.com/gsextendvalg2/{URL encoded Base64 Here}

5. Do your GET:

curl --verbose --url http://ocsp2.globalsign.com/gsextendvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBSgcg6ganxiAlTyqPWd0nuk87cvpAQUsLBK%2FRx1KPgcYaoT9vrBkD1rFqMCEhEhD0Xjo%2FV7lgq3ziGoWG69rA%3D%3D

 

If you like you can also re-play the request that was generated with OpenSSL as a POST:

curl --verbose --data-binary  @ocspglobalsignca.req -H "Content-Type:application/ocsp-request" --url http://ocsp2.globalsign.com/gsextendvalg2

9 thoughts on “How to do OCSP requests using OpenSSL and CURL

  1. Pingback: Measuring OCSP Responder Performance with Powershell

  2. Peter Hesse

    Thanks, this is helpful. I’m running into a problem where this works through a reverse proxy into our environment, but both OpenSSL and certutil -url fail. Ideas on how the above style of request is different than typical?

    Reply
    1. rmhrisk Post author

      Peter, if I understand correctly your environment uses a SOCKS proxy to gain access to the network where the OCSP server is located and since neither OpenSSL or certutil support that natively you are asking how to run a test in such an environment? If so you probably need to use something like http://proxytunnel.sourceforge.net/

      Reply
      1. Peter Hesse

        Actually – turned out it was simply a matter of the reverse proxy needing the host header to be present in order to forward it on to the right host and therefore getting a proper response.

        Adding the following to the curl line
        –header ‘Host: http://www.example.com
        solved my problem.

        Thanks for the pointer to proxytunnel though.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *