With the big push on for fall readiness, an interesting problem cropped up this afternoon. It was reported that one of our new sites was not working in IE 11 or Microsoft Edge browser with an SSL Certificate error. I pulled up the site in Chrome since I run on a Mac to see the certificate and everything looked fine. I also checked it in Safari, but that looked OK too.
I do have a Windows 10 virtual instance, so I fired it up and pointed my Edge browser to the URL in question and that’s what I started seeing the problem. Edge would completely refuse to connect to the URL, but it wouldn’t tell me why. Next, I connected to a Windows 2008R2 instance I have running in AWS to check and see what it reported and found that IE 11 would at least show me the error (Certificate Revoked).
Ok, now I know what the problem is and know which browsers check and which browsers don’t. We quickly updated our CloudFront distribution to use the correct certificate and everything was good to go.
Since I don’t run Windows must of the time, I wanted to figure out an easier way to validate whether or not a particular certificate has been revoked. Since I knew that I could use openssl to look at certs and pull down information I decided to figure what commands I would need to do to be able to check if a cert has been revoked.
In order to make the following commands easier to run (and easier to create a shell script out of), I have used variables as much as I can. The first step is to set the URL of the site you want to test:
Once that is set, download the certificate:
echo ""| openssl s_client -connect $URL:443 -servername $URL 2>&1|openssl x509 -out test.crt
Next, set the Online Certificate Status Protocol (OSCP) URL and the Issuer URL:
export OCSP_URI=`cat test.crt |openssl x509 -noout -ocsp_uri`
export ISSUER=`cat test.crt |openssl x509 -noout -text |grep "CA Issuers"|grep -o 'https*://[^"]*'`
Download the Issuer Certificate. Most of them are in the der format, but I found that Google’s was already a .pem
# der formated
curl -s $ISSUER |openssl x509 -inform der -out signer.pem
# pem formated
curl -s $ISSUER > signer.pem
Finally, run the ocsp command to determine if the cert has been revoked or not:
openssl ocsp -issuer signer.pem -cert test.crt -text -url $OCSP_URI -header "HOST" `echo $OCSP_URI| cut -d / -f 3`
Once you have done, you will either see something like this if it is revoked:
This Update: Jul 28 20:23:54 2017 GMT
Next Update: Jul 30 08:23:54 2017 GMT
Revocation Time: Jul 15 14:40:33 2017 GMT
or something like this if it is valid:
This Update: Jul 28 17:32:00 2017 GMT
Next Update: Aug 4 16:47:00 2017 GMT
One caveat. When I was running this in MacOS Sierra, the native OpenSSL command didn’t work as it doesn’t seem to support the ‘-header’ option. I had to download openssl from Homebrew and use that one. It seemed to work just fine in my AWS Linux instance.