我想验证Apple的p12证书是否被吊销。
通过OpenSSL验证,但失败率
Responder Error: unauthorized (6)
openssl s_client -connect ocsp.apple.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-------END/p' > cert.pem
openssl s_client -showcerts -connect ocsp.apple.com:443 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' > chain.pem
openssl x509 -noout -ocsp_uri -in cert.pem
openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://ocsp.apple.com/ocsp03-apevsecc1g101 -header "HOST" "ocsp.apple.com"
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 99A13D5E339D6899F2F62D3449CA0FB7AD56A71D
Issuer Key Hash: 45F2A8DA2EF4DD5AE49E079E4B7B289B3BB20B31
Serial Number: 5E652F93666E7A5B3966551A0C167BAA
Request Extensions:
OCSP Nonce:
0410AB2982A627A49BA9AC9E06A9C4FE28B2
Responder Error: unauthorized (6)
chain.pem只能包含中间证书和根证书。你调用openssl的方式会带来整个链。所以:从chain.pem中删除证书,然后再试一次。
为了它的价值(或未来的实例),这是我的解决方案:
注意:我正在向微软OCSP响应器发送响应。
修复:我必须定义-CAfile和-no_nonce参数。
openssl ocsp -no_nonce -issuer ca_chain.cer -CAfile ca_chain.cer -cert test.cer -text -url http://ocsp.myorg.com/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C012856C236D6AA6EC5F835AC25F17EBECB8BC10
Produced At: Nov 8 05:36:39 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
Cert Status: revoked
Revocation Time: Oct 27 21:26:12 2022 GMT
Revocation Reason: cessationOfOperation (0x5)
This Update: Nov 8 00:50:02 2022 GMT
Next Update: Nov 8 17:10:02 2022 GMT