Knowledge Base

Online Certificate Status Protocol (OCSP) Validation with OpenSSL – Sectigo Private CA

July 24, 2020 in Sectigo Validation and SSL Validation FAQs

If you need to validate the OCSP implementation of your Sectigo Private CA, you can simulate what a client machine does when asking the CA if a certificate is valid.
As an alternative to using a CRL, you don't need to download the entire list of revoked certificates. Instead, you can check the status of just one certificate with OCSP.


To do so, follow these steps:

1. Obtain a Device certificate issued from your Sectigo Private CA and save it as a .pem file
2. Obtain the Issuing certificate from your Sectigo Private CA chain and save it as a .pem file
3. Run the following OpenSSL command using the Device certificate .pem file from step 1

$ openssl x509 -noout -ocsp_uri -in device-cert.pem
http://myprivateca.ocsp.sectigo.com


4. Perform verification for the device certificate status:

$ openssl ocsp -issuer IssuingCertificate.pem -cert device-cert.pem -text -url
http://myprivateca.ocsp.sectigo.com

5. The response will be similar to:

OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 26B35BBC0CDS567F5904B19C5B3F5DS67894FBF78AE35E0006F0544B
Issuer Key Hash: 104BC909521547FD6A47FAD58FB273C4BC59C414DAF63702C0E
Serial Number: A5E7D6FE7867686ADFE60F33FB5B4F870646654058FF67C
Request Extensions:
OCSP Nonce:
04107BFB246CC6EDF7678FA6F4D50B4417473A1E12BB60
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 104BC909AAAFE678A86521558FB273C4BC59C414DAF63702C0E
Produced At: Jul 22 01:00:02 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 26B35BEF68768A6BC0C5904B19C5B3BF78AE35E0006F0544B
Issuer Key Hash: 104BC486EF48A909521558FB273C4BC59C414DAF63702C0E
Serial Number: A5E760E5FA5975F33FB5B4F870646654058FF67C
Cert Status: good
This Update: Jul 22 01:00:02 2020 GMT
Next Update: Jul 29 01:00:02 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
52:80:2c:9d:60:1a:05:3f:53:2b:b2:78:85:70:f9:de:2c:a6:
18:9c:53:7b:1e:8d:43:cf:20:a0:59:c9:b1:11:d9:b2:f3:e6:
a5:bb:ec:15:a7:69:93:9a:e3:a3:13:b4:05:64:74:29:84:3a:
5a:4b:c5:98:76:d3:96:bf:7e:6f:46:34:5H:1e:31:06:20:83:
ea:12:a6:f1:a9:e7:f0:be:1c:ca:03:38:57:3c:19:83:d5:ee:
f6:7a:9f:c3:df:44:b1:ef:10:d0:60:7d:8b:67:89:dd:4b:f0:
ab:3a:4a:f6:0b:a9:5d:56:4c:89:81:03:a8:84:79:f6:f1:1a:
1e:81:be:57:cc:f3:0c:d4:23:cb:aa:ab:34:95:fd:ba:7f:df:
f8:6e:ed:77:2a:78:90:db:10:65:8B:da:f2:72:57:fa:71:45:
9b:a7:0b:6b:2f:52:db:f6:0b:10:a9:79:a6:7a:fd:b4:fb:eb:
90:c6:07:13:26:9e:79:72:88:5f:bd:a5:89:7b:bf:53:af:7e:
fb:e7:38:4c:97:f3:9e:4f:af:ab:82:5a:b6:b4:5d:0c:72:b5:
5f:71:a3:0f:69:68:43:ff:36:ca:81:ed:a2:6e:25:f3:4b:61:
bb:1a:2b:38:74:22:6d:39:25:18:32:79:1b:e6:7c:7d:fe:6a:
68:e9:0e:2a:e6:40:a1:32:8e:d6:9d:1a:f9:da:79:71:01:2e:
80:21:1a:37:7a:7c:17:b6:e1:55:6e:14:5a:62:fe:51:64:94:
7a:f5:a8:e4:5b:ad:9a:c8:63:18:9d:89:20:12:77:ac:f3:a6:
d3:fc:76:69:8f:98:3c:a9:23:93:9e:fa:91:e5:61:6d:18:bc:
23:ef:ef:37:c9:c9:95:10:53:85:bf:6b:72:e6:cc:cd:b5:f9:
b5:71:c3:2d:ab:cd:ea:bb:41:62:2d:85:3d:7c:77:4c:dc:08:
40:f6:78:90:fe:19:70:20:ce:20:07:a4:c1:f6:1a:42:c2:59:
82:6c:6a:8d:10:5f
WARNING: no nonce in response
Response verify OK
device-cert.pem: good
This Update: Jul 22 01:00:02 2020 GMT
Next Update: Jul 29 01:00:02 2020 GMT

Related articles