最近发现的heartbleed漏洞促使证书颁发机构重新颁发证书.
我有两个在发现heartbleed漏洞之前生成的证书.在SSL发行者告诉我重新生成证书之后,我使用新证书更新了我的服务器/域.
如果我的理解是正确的,那么旧证书应该已被CA撤销,并且应该已经转到CRL(证书撤销列表)或OCSP数据库(在线证书状态协议),否则技术上可以让某人执行“中间人攻击“通过从受损证书中获取的信息重新生成证书.
有没有办法检查我的旧证书是否已进入CRL和OCSP.如果他们没有办法将它们包括在内?
UPDATE : The situation is that I have already replaced my certificates all I have is the .crt files of the old certificates so using the url to check is not really possible.
解决方法
从您的证书获取ocsp网址:
$openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem http://ocsp.int-x1.letsencrypt.org/ $
向ocsp服务器发送请求以检查证书是否被撤销:
$openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
This Update: Oct 29 10:00:00 2015 GMT
Next Update: Nov 5 10:00:00 2015 GMT
$
这是一个很好的证书.
这是一个被撤销的证书:
$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain3.pem -cert /etc/letsencrypt/archive/31337.it/cert3.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
This Update: Oct 29 12:00:00 2015 GMT
Next Update: Nov 5 12:00:00 2015 GMT
Revocation Time: Oct 29 12:33:57 2015 GMT
$
