2

I downloaded a revoked certificate from the website https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls-certificates/. Specifically, the revoked certificate of the site https://revoked-rsa-ev.ssl.com/.

To check the verification result in OpenSSL, I downloaded the CRL and ran the command :

openssl verify -untrusted 'SSL.com EV SSL Intermediate CA RSA R3.pem' -CRLfile SSLcom-SubCA-EV-SSL-RSA-4096-R3.crl.pem -show_chain revoked-rsa-ev.ssl.com.pem

However, instead of showing it as revoked, it successfully verifies the certificate. This is the output :

revoked-rsa-ev.ssl.com.pem: OK
Chain:
depth=0: C = US, ST = Texas, L = Houston, O = SSL Corp, serialNumber = NV20081614243, CN = revoked-rsa-ev.ssl.com, postalCode = 77098, businessCategory = Private Organization, street = 3100 Richmond Ave, jurisdictionST = Nevada, jurisdictionC = US (untrusted)
depth=1: C = US, ST = Texas, L = Houston, O = SSL Corp, CN = SSL.com EV SSL Intermediate CA RSA R3 (untrusted)
depth=2: C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2

Have I used the incorrect command? Moreover, even Chrome shows the certificate as trusted but not Firefox. Why is this happening?

Teja Juluru
  • 21
  • 2
  • 1
    From `openssl help verify` I suspect (but am not in a position to verify) that you want either `-crl_check` or `-crl_check_all` (and, possibly, `-extended_crl`). My _guess_ is you've loaded the list, but not asked it to actually check for revocation. – TripeHound May 29 '20 at 17:14
  • 1
    Yes, adding `-crl_check` flag works. Thank you. – Teja Juluru May 29 '20 at 18:56
  • But why does Chrome show it as a valid certificate? – Teja Juluru May 29 '20 at 18:56
  • As (I think) I understand it, checking for revocation requires the browser to check for, and possibly download an up-to-date CRL, which may take a non-negligible time. There's probably a setting to control whether this happens or not. – TripeHound May 29 '20 at 19:28
  • [As that CA itself tells you](https://www.ssl.com/article/how-do-browsers-handle-revoked-ssl-tls-certificates/#ftoc-heading-2) **Chrome doesn't use (CA-issued) CRLs**. Also see https://security.stackexchange.com/questions/55811/how-are-crlsets-more-secure https://security.stackexchange.com/questions/180938/revoked-cert-not-showing-revoked-in-chrome-64-0-3282-186 https://security.stackexchange.com/questions/219443/how-well-do-current-browsers-handle-certificate-revocation – dave_thompson_085 May 30 '20 at 01:35
  • Thank you, that was a pretty fascinating read. – Teja Juluru May 30 '20 at 05:37

0 Answers0