Checking OCSP status of a SSL certificate

Goal: verify OCSP is working for a SSL certificate. Especially a Thawte EV certificate.

First grab the certificate chain by opening a secure connection

In this example I'm going to validate www.parrotsnap.com's certificate.

openssl s_client -connect www.parrotsnap.com:443 -showcerts -tls1 -servername www.parrotsnap.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate-chain; 

Next split the certificates out to separate files.

csplit -n 2 -f split-certs certificate-chain "/^-----END CERTIFICATE-----/+1" '{1}'; 

Rename the certificates to valid files.

mv split-certs00 www.parrotsnap.com.pem 
mv split-certs01 intermediate.pem 
mv split-certs02 root.pem 

Get the various OCSP status urls

openssl x509 -in www.parrotsnap.com.pem -noout -ocsp_uri 

Output: http://ocsp.thawte.com

openssl x509 -in intermediate.pem -noout -ocsp_uri 

Output: http://EVSecure-ocsp.thawte.com

Being that OCSP is about verifying the chain of certificates and not the main certificate we need to use the OCSP information from the issuing certificate to do the OCSP request, hence we're going to use http://EVSecure-ocsp.thawte.com

openssl ocsp -issuer intermediate.pem -no_nonce -cert www.parrotsnap.com.pem -url http://EVSecure-ocsp.thawte.com -text

Response

OCSP Response Data: 
OCSP Response Status: successful (0x0) 
Response Type: Basic OCSP Response 
Version: 1 (0x0) 
Responder Id: C = US, O = "thawte, Inc.", OU = Terms of use at https://www.thawte.com/cps (c)06, CN = thawte Extended Validation SSL OCSP 
www.parrotsnap.com.pem: good 
	This Update: Sep 3 20:38:50 2014 GMT 
	Next Update: Sep 10 20:38:50 2014 GMT