Ssl
如何檢查letsencrypt證書是否已被吊銷
我正在嘗試根據此答案檢查letsencrypt頒發的證書是否已被吊銷:
openssl ocsp -issuer highschoolhelper.org_fullchain.crt -cert highschoolhelper.org_fullchain.crt \ -text -url http://ocsp.int-x3.letsencrypt.org -header "HOST" "ocsp.int-x3.letsencrypt.org"highschoolhelper.org_fullchain.crt 內容:
-----BEGIN CERTIFICATE----- MIIGezCCBWOgAwIBAgISBIblodC5xtlygKwk1HxrVSNwMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MjQwMjAzMjNaFw0y MDA4MjIwMjAzMjNaMB8xHTAbBgNVBAMTFGhpZ2hzY2hvb2xoZWxwZXIub3JnMIIC IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoJoYehVRN/qnOOM5phcdlknH Je8k+TbZjW+drtX7i3zik/se2rR3Gj16da5A4vx6irK+SasdU2ckwcC4GGCa0ILM gCcwE/rI1km65A5KudSA9tz494olkIxAuwhHXdOHZjBQ9fx211Jol0drqvc2cnS5 Camnx6ibYeGvZqadMC9iIqiZ2WIYr1cJCBeOJrk4f9hZnNSA/nghgyq4ajzKc+R4 nNBy2pl50VYdzV465MIdRKtuJvnoPPtwf0Z605gXwibI8rsA4kUcJj3QS7vcxsfw W8xgu9lwHm0K5DZiSiBfzxyOMui7BFDSek25kf98e+ZNb/Eqz+JXSEk9udMDbPx8 nVtskoW6HaxL2D/qjHuI7DQnTP7SR/+OA6av6ZKSH+7KLtU7aN2i9itsNJA5AlZC KGKmuTO+xCuI2Fi4QueacfnGqmC2+/rXtEu1vtuu0zL1W8J2JhR9ocOOC/e5Fjld hufYVpEyJwSxbjCGSOhVX0DqIgLSucHlJceKNVZBlx8Oh0KNjcjpfvHhKZlJ/SyL AUYT5tbJ/YMqr4Lr3RHqRZL22H93aFAoyHw2doPS88fwjUn+hYgk9TaEtLLfa8yT j/C5c7cZf42sq0gyb9xQkpah50Ft9HNEJcs1HrTjVJxDFEFTG99odK//GiFsKlj9 x+3GOufni0GydETRC1UCAwEAAaOCAoQwggKAMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E FgQUYxGSiRqEnPR1Ad6Fj4P/YrlDGZowHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3 pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2Nz cC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzA5BgNVHREEMjAwghRoaWdoc2Nob29s aGVscGVyLm9yZ4IYd3d3LmhpZ2hzY2hvb2xoZWxwZXIub3JnMEwGA1UdIARFMEMw CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAXqdz +d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFyRKKP1gAABAMARzBFAiBj Vo3hgkLNSJBNdhiymhBkYym5sOaRqWswrQCZeRaX/AIhAJ/CqfyvYvtIudJ3fjaN +eQFm24CE+MmUql+4Q6vNV7dAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6 GmnTohwAAAFyRKKP/QAABAMASDBGAiEAlVvbTUpmGlXE6ARMENw3oIAlzoacBlG6 ZgNRinb3SuUCIQCcaqd5cDIKlFY00rQ3A/CiLkRJsyLu7SGRtWd2SbtTyDANBgkq hkiG9w0BAQsFAAOCAQEAbFJFXt7rhu6cftRhLF+8sC8+Iv8qL0qVAjFfyckz1QpT mqKMPpi56sLc25HI4BxOlCh7HBbD4qu/G/PFWaihSkzOWqub9PkcgbxaK4TKWJr8 LYWYv+PxmtbTeA9bNeMxPMuL4KraOog6XyI4gxjP0Pa+vONjrDsCBnO5ZuskbkK4 2MqNbVQT4W0Arx51ZP4uaNZYZHPtr0aByn6KF5KPP/TTA+V5T8yKFCzBpHm33g7n bk3RDQeqpiFdCwXc7mkZRpj+o+SM4WfBXp399mGoGkBjh73n9k4L2PCwY6nt5sgB NXW14dJwThtD5llBdTlxbg/LlBp9y1gT5Je3F2IB6A== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----但我得到的是這個輸出:
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: 631192891A849CF47501DE858F83FF62B943199A Serial Number: 0486E5A1D0B9C6D97280AC24D47C6B552370 Request Extensions: OCSP Nonce: 0410193D65F8B1D045055EE5862101F61D02 Responder Error: unauthorized (6)
您的輸入文件包含兩個證書:首先是葉證書,其次是鏈證書。
-issuer鏈證書是葉子證書的頒發者,因此如果要檢查葉子證書(-cert參數),則需要將其用於參數。只是,您為頒發者和證書提供相同的文件。在這兩種情況下,它都會從文件中取出第一個證書,這意味著它將為頒發者和證書使用相同的證書——這是錯誤的。要解決此問題,請將您的文件分成兩部分:將第一個證書放入
cert.pem,第二個放入issuer.pem,然後重試:$ openssl ocsp -issuer issuer.pem -cert cert.pem \ -text -url http://ocsp.int-x3.letsencrypt.org -header "HOST" "ocsp.int-x3.letsencrypt.org" ... OCSP Response Data: ... Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 ... Cert Status: good This Update: May 24 03:00:00 2020 GMT Next Update: May 31 03:00:00 2020 GMT