一、准备证书
注意,如果服务器上开启了SNI,拥有多个ssl证书, 还需要指定 -servername
# Get server cert
openssl s_client -connect sqimg.qq.com:443 -servername sqimg.qq.com < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' > certificate.pem
# Get intermediate cert
openssl s_client -connect sqimg.qq.com:443 -servername sqimg.qq.com < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' | awk 'BEGIN { n=0 } { if ($0=="-----BEGIN CERTIFICATE-----") { n+=1 } if (n>=2) { print $0 } }' > chain.pem二、获取证书的OCSP服务器
# Get the OCSP responder for server cert
openssl x509 -noout -ocsp_uri -in certificate.pem
# http://ocsp.int-x3.letsencrypt.org
# 或者
# openssl x509 -in certificate.crt -noout -text | grep OCSP三、校验OCSP
openssl ocsp -issuer chain.pem -cert certificate.pem \
-verify_other chain.pem \
-header "Host" "ocsp.int-x3.letsencrypt.org" -text \
-url http://ocsp.int-x3.letsencrypt.org如果成功,最后会显示
Response verify OK
certificate.pem: good
This Update: Mar 24 00:00:00 2021 GMT
Next Update: Mar 30 23:59:58 2021 GMT参考资料
http://cooolin.com/scinet/2020/07/16/ocsp-stapling-nginx.html
转载请注明:IPCPU-网络之路 » 使用openssl命令校验https证书的OCSP