How do I check if my SSL certificates have been revoked

Question

The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates.

I have two certificates that were generated before the heartbleed vulnerability was discovered. After the SSL issuer told me to regenerate the certificate I have updated both my servers/domains with the new certificates.

If my understanding is correct then the old certificates should have been revoked by the CA and should have made it to the CRL (Certificate revocation List) or the OCSP database (Online Certificate Status Protocol) otherwise it is technically possible for someone to perform a "man in the middle attack" by regenerating the certificates from information picked up from compromised certificates.

Is there a way to check if my old certificates have made it to CRL and OCSP. If they haven't is there a way to get them included?

UPDATE : The situation is that I have already replaced my certificates all I have is the .crt files of the old certificates so using the url to check is not really possible.

score 19 · Accepted Answer · answered Oct 29 '15 at 13:46

Get the ocsp url from your cert:

$ openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem
http://ocsp.int-x1.letsencrypt.org/
$

Send a request to the ocsp server to check if the cert is revoked or not:

$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 10:00:00 2015 GMT
        Next Update: Nov  5 10:00:00 2015 GMT
$

this is a good cert.

This is a revoked cert:

$  openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain3.pem -cert /etc/letsencrypt/archive/31337.it/cert3.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 12:00:00 2015 GMT
        Next Update: Nov  5 12:00:00 2015 GMT
        Revocation Time: Oct 29 12:33:57 2015 GMT
$

MichelZ · Answer 2 · 2014-04-22T09:35:27.717

You can use certutil on Windows:

If you have a certificate and want to verify its validity, perform the following command:

certutil -f –urlfetch -verify [FilenameOfCertificate]

For example, use

certutil -f –urlfetch -verify mycertificatefile.cer

Source / More info: TechNet

Additionally, be sure to check with your CA. Just because you rekey the cert / get a new one, does not mean they automatically revoke it!

score 5 · Answer 3 · answered Apr 23 '14 at 14:53

5

You can use this SSLLabs service to test SSL certificates, but you need them to be accessible from web. Moreover you can find out some more information, cause this service provide some audit.

answered Apr 23 '14 at 14:53

mack

81

Khanna111 · Answer 4 · 2014-12-15T09:44:24.153

If you have revoked the certificates through the CA that generated them then they would have made it to OCSP and CRLs.

If you would like to make sure that that is the case, then please extract the ocsp url from the certificate and then construct a ocsp request to that url including the certificate serial number, the ca issuer cert and retrieve the ocsp response and then one could parse it to check and confirm that it is indeed revoked.

More details at this useful page: http://backreference.org/2010/05/09/ocsp-verification-with-openssl/

Note: this requires usage of openssl library.

Edit1: I see that you have added information on OCSP and CRL explicitly after this answer.

How do I check if my SSL certificates have been revoked

4 Answers4

Linked