Last active
February 3, 2022 21:26
-
-
Save tomwassenberg/6107281642312cb1b3df81d5ec09f351 to your computer and use it in GitHub Desktop.
Request and check OCSP response of queried domain name
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Unofficial Bash strict mode | |
| set \ | |
| -o errexit \ | |
| -o errtrace \ | |
| -o noglob \ | |
| -o nounset \ | |
| -o pipefail | |
| IFS=$'\n\t' | |
| shopt -s inherit_errexit | |
| set -o noclobber | |
| # $1 - Domain name to check | |
| main() { | |
| DOMAIN="${1}" | |
| shift | |
| # Get leaf certificate | |
| openssl s_client \ | |
| -connect "${DOMAIN}:443" \ | |
| -servername "${DOMAIN}" 2>&1 \ | |
| </dev/null | | |
| sed -n '/-----BEGIN/,/-----END/p' >cert.pem | |
| # Get certificate chain | |
| # echo to prevent OpenSSL from waiting on input | |
| openssl s_client \ | |
| -connect "${DOMAIN}:443" \ | |
| -servername "${DOMAIN}" \ | |
| -showcerts </dev/null 2>/dev/null | | |
| sed -n '/ 1 s:/,/-----END CERTIFICATE-----/p' | | |
| sed -n '/-----BEGIN CERTIFICATE-----/,//p' >chain.pem | |
| OCSP_ENDPOINT="$(openssl x509 -noout -ocsp_uri -in cert.pem)" | |
| # Request and verify the actual OCSP response | |
| openssl ocsp \ | |
| -no_nonce \ | |
| -url "${OCSP_ENDPOINT}" \ | |
| -issuer chain.pem \ | |
| -cert cert.pem \ | |
| -verify_other chain.pem \ | |
| -text \ | |
| 2>&- | |
| } | |
| trap "rm -f cert.pem chain.pem" EXIT | |
| main "${@}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment