5

I would like to know whether an SSL certificate was revoked. The website no longer serves up that certificate, I only have the domain name and the serial number.

The SSL certificate was replaced 5 months before expiry without explanation. That doesn't sound normal to me as that's nearly 25% of the lifetime of the certificate "thrown away" early so I suspect it was revoked.

I would like to know how to check this, as I can only find methods that will check the status of a "live" certificate.

Rodney
  • 318
  • 1
  • 8
  • This is not as unusual as you would think. My cert provider gave me a wildcard certificate once I had more than 5 certs because it's cheaper. In the process, they revoked all of my old certificates and gave me a credit towards the new one. – longneck Jun 18 '14 at 14:37
  • The new certificate has approx 20 alternate (sub) domain names so that could be part of the explanation. – Rodney Jun 18 '14 at 15:01
  • A very large percentage of web sites replaced their certificates within the last few months due to Heartbleed. Perhaps you weren't aware of this? – Michael Hampton Jun 18 '14 at 16:00
  • Yes this is what I am trying to investigate as the site operator is keeping quiet about whether or not they were affected. There may of course be other explanations. – Rodney Jun 20 '14 at 15:58

2 Answers2

3

If the cert provider and the signing certificate are the same in both the old and the new certificates, then you can use the CRL link in the new certificate. This will list all of the certificates revoked under the signing certificate.

longneck
  • 22,793
  • 4
  • 50
  • 84
0

You need to find another Comodo Class 2 certificate, extract the CRL from it, download the CRL and check it for the ID with:

openssl crl -inform DER -text -in tmp.crl
liquidat
  • 510
  • 4
  • 3
  • 1
    The old certificate was the Verisign one so I assume it's a Verisign revocation list I must use? Luckily I had the following text in a screen shot "VeriSign Class 3 International Server CA - G3" and googling for that I found the crl [here](http://crl.verisign.com/SVRIntlG3.crl) so if it's not on that CRL then it's not been revoked right? The new issuer (Comodo) would not be able to revoke a Versign issued cert – Rodney Jun 20 '14 at 15:47
  • Given that the CRL corresponds to the actual certificate (which is what your screenshot says) then it seems that the certificate was not revoked, yes. – liquidat Jul 28 '14 at 15:22