Checking OCSP status of a SSL certificate

Goal: verify OCSP is working for a SSL certificate. Especially a Thawte EV certificate.

First grab the certificate chain by opening a secure connection

In this example I'm going to validate's certificate.

openssl s_client -connect -showcerts -tls1 -servername < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate-chain; 

Next split the certificates out to separate files.

csplit -n 2 -f split-certs certificate-chain "/^-----END CERTIFICATE-----/+1" '{1}'; 

Rename the certificates to valid files.

mv split-certs00 
mv split-certs01 intermediate.pem 
mv split-certs02 root.pem 

Get the various OCSP status urls

openssl x509 -in -noout -ocsp_uri 


openssl x509 -in intermediate.pem -noout -ocsp_uri 


Being that OCSP is about verifying the chain of certificates and not the main certificate we need to use the OCSP information from the issuing certificate to do the OCSP request, hence we're going to use

openssl ocsp -issuer intermediate.pem -no_nonce -cert -url -text


OCSP Response Data: 
OCSP Response Status: successful (0x0) 
Response Type: Basic OCSP Response 
Version: 1 (0x0) 
Responder Id: C = US, O = "thawte, Inc.", OU = Terms of use at (c)06, CN = thawte Extended Validation SSL OCSP good 
	This Update: Sep 3 20:38:50 2014 GMT 
	Next Update: Sep 10 20:38:50 2014 GMT