27

The recent discovery of the heartbleed vulnerability has prompted certificate authorities to re-issue certificates.

I have two certificates that were generated before the heartbleed vulnerability was discovered. After the SSL issuer told me to regenerate the certificate I have updated both my servers/domains with the new certificates.

If my understanding is correct then the old certificates should have been revoked by the CA and should have made it to the CRL (Certificate revocation List) or the OCSP database (Online Certificate Status Protocol) otherwise it is technically possible for someone to perform a "man in the middle attack" by regenerating the certificates from information picked up from compromised certificates.

Is there a way to check if my old certificates have made it to CRL and OCSP. If they haven't is there a way to get them included?

UPDATE : The situation is that I have already replaced my certificates all I have is the .crt files of the old certificates so using the url to check is not really possible.

sridhar pandurangiah
  • 743
  • 2
  • 11
  • 28

4 Answers4

15

You can use certutil on Windows:

If you have a certificate and want to verify its validity, perform the following command:

certutil -f –urlfetch -verify [FilenameOfCertificate]

For example, use

certutil -f –urlfetch -verify mycertificatefile.cer

Source / More info: TechNet

Additionally, be sure to check with your CA. Just because you rekey the cert / get a new one, does not mean they automatically revoke it!

MichelZ
  • 11,008
  • 4
  • 30
  • 58
  • 1
    To install `certutil` on Ubuntu server use the command `sudo apt-get install libnss3-tools`. This is not obvious as searching the apt-get cache returns no results for the string `certutil` . I know that the OP's server is CentOS, but it is possible that other Ubuntu Server admins will find this question helpful as well. – dotancohen Apr 22 '14 at 11:25
  • My answer was purely *Windows* based. I don't know of any *nix implementation of this. See [here](http://stackoverflow.com/questions/2913440/openssl-how-to-check-if-a-certificate-is-revoked-or-not) for a possible *nix solution – MichelZ Apr 22 '14 at 11:31
  • 2
    @dotancohen While that program is also called `certutil`, it's not the same program as `certutil.exe` on Windows, and is not used in the same way. – Dan Getz Oct 19 '15 at 13:30
15

Get the ocsp url from your cert:

$ openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem
http://ocsp.int-x1.letsencrypt.org/
$

Send a request to the ocsp server to check if the cert is revoked or not:

$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 10:00:00 2015 GMT
        Next Update: Nov  5 10:00:00 2015 GMT
$

this is a good cert.

This is a revoked cert:

$  openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain3.pem -cert /etc/letsencrypt/archive/31337.it/cert3.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 12:00:00 2015 GMT
        Next Update: Nov  5 12:00:00 2015 GMT
        Revocation Time: Oct 29 12:33:57 2015 GMT
$
Simon
  • 596
  • 1
  • 4
  • 12
  • This worked for me (thanks), but thought I would also mention that in addition the the Revocation Time, my out displayed a Revocation Reason as well, which was helpful when we contacted the issuer trying to figure out what the heck was going on with the cert. – sdek May 12 '17 at 18:14
  • This almost works for me (openssl 1.1.1 on Ubuntu 18.04); I need to replace the space after HOST with an equals sign (`=`). (The hostname that follows is fifferent, too.) – reinierpost Feb 01 '22 at 16:49
5

You can use this SSLLabs service to test SSL certificates, but you need them to be accessible from web. Moreover you can find out some more information, cause this service provide some audit.

mack
  • 81
  • 3
  • This requires that the server runs with the old certificate. But having regenerated my certificates all I have is the .crt file of the old certificate. – sridhar pandurangiah Apr 29 '14 at 10:54
1

If you have revoked the certificates through the CA that generated them then they would have made it to OCSP and CRLs.

If you would like to make sure that that is the case, then please extract the ocsp url from the certificate and then construct a ocsp request to that url including the certificate serial number, the ca issuer cert and retrieve the ocsp response and then one could parse it to check and confirm that it is indeed revoked.

More details at this useful page: http://backreference.org/2010/05/09/ocsp-verification-with-openssl/

Note: this requires usage of openssl library.

Edit1: I see that you have added information on OCSP and CRL explicitly after this answer.

Khanna111
  • 224
  • 2
  • 6