Skip to content

Instantly share code, notes, and snippets.

@vanbroup
Created March 19, 2018 12:43
Show Gist options
  • Save vanbroup/ca7d52a1a6006b5ba03b43d891384ed1 to your computer and use it in GitHub Desktop.
Save vanbroup/ca7d52a1a6006b5ba03b43d891384ed1 to your computer and use it in GitHub Desktop.
Make an OCSP request with bash via OpenSSL and and obtain the certificate (chain) from the TLS handshake, replay the request with CURL.
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo
echo "No hostname given to obtain certificate status"
echo "\tuse: $0 www.example.com"
echo
exit 1
fi
echo
echo Getting certificate for $1 from TLS handshake
openssl s_client -connect $1:443 -servername $1 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' > certificate.pem
echo
echo Getting intermediates from TLS handshake
openssl s_client -showcerts -connect $1:443 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' | sed -n '/^-----END CERTIFICATE-----/,$ p' | sed 1d > chain.pem
echo
echo Finding OCSP server in certificate
ocsp=`openssl x509 -noout -ocsp_uri -in certificate.pem`
echo
echo Extracting hostname from OCSP url
## Remove protocol part of url ##
host=$ocsp
host="${host#http://}"
host="${host#https://}"
## Remove rest of urls ##
host=${host%%/*}
echo
echo "Making OCSP request to $ocsp ($host) saving a copy of the request to ocsp.req and the response to ocsp.resp"
echo
openssl ocsp -noverify -no_nonce -respout ocsp.resp -reqout ocsp.req -issuer chain.pem -cert certificate.pem -text -url $ocsp -header 'Host' $host
echo
echo Making the same OCSP request via CURL
curl -v -o /dev/null --data-binary @ocsp.req -H "Content-Type: application/ocsp-request" --url $ocsp
@Delermando
Copy link

Hi, Paul!!
Thanks for making this gist available!
It helped me a lot to debug a problem with OCSP inside a kubernetes cluster with Kong!
Using parts of this script I notice that OCSP was failing to get request answer. And that was happening because of Istio that was blocking it.

@Delermando
Copy link

I needed to make a small correction to the script to it work here.
I change -header 'Host' $host to -header 'Host='$host
Probably due to my openssl version

Well, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment