4

I'm trying to check the revocation of certificates in a script but I'm getting the following error:

unable to load certificate
140735258465104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Here are the steps (using www.google.com as an example).

  1. fetch the certificate

    $ echo 'Q' | openssl s_client -connect www.google.com:443 > google.crt

  2. extract the URI of the issuer

    $ openssl x509 -in google.crt -text -noout | grep 'CA Issuers' | \
    sed -e "s/^.*CA Issuers - URI://

    this gives http://pki.google.com/GIAG2.crt

  3. fetch the issuer certificate

    $ curl --silent http://pki.google.com/GIAG2.crt > issuer.crt

  4. extract the OCSP URI

    $ openssl x509 -in google.crt -ocsp_uri -noout

    this gives http://clients1.google.com/ocsp

And now the final step:

$ openssl ocsp -no_nonce -issuer issuer.crt -cert google.crt \
      -url http://clients1.google.com/ocsp
unable to load certificate
140735258465104:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

What am I doing wrong?

EDIT

I just saw that http://pki.google.com/GIAG2.crt is in DER format. Converting it to PEM with

$ openssl x509 -inform DER -outform PEM -in issuer.der -out issuer.pem

brings me one step further, but

$ openssl ocsp -no_nonce -issuer issuer.pem -cert google.crt \
      -url http://clients1.google.com/ocsp
Error querying OCSP responder
140735258465104:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:255:Code=404,Reason=Not Found

The error kind of makes sense since http://clients1.google.com/ocsp delivers a 404 but the URL is the one stored in the original certificate ...

The next question will also be how to automatically detect the format of the issuer certificate but I could use file and see if the file is binary or ASCII.

slm
  • 369,824
Matteo
  • 9,796
  • 4
  • 51
  • 66

1 Answers1

7

You need to set a Host header. There's an undocumented command-line flag for this. Try:

openssl ocsp -no_nonce -issuer issuer.pem -cert google.crt \
    -url http://clients1.google.com/ocsp \
    -header Host clients1.google.com
agl
  • 186
  • Great tip. Do you know a reason, why this is neccesary? – mat Feb 04 '17 at 15:02
  • Since OCSP communicates over HTTP, a web-server is contacted and the appropriate web-application (virtual host) may only get triggered by the web-server when the Host header is passed. It might be possible that some sites dedicate IPs for OCSP so that no Host header is required. – Chad Skeeters Nov 06 '19 at 20:47
  • Should it be -header Host clients.1.google.com, or -header Hosts=clients.1.google.com? I got error message when use first from: Missing = in header key=value ocsp: Use -help for summary. – Anton Prokofiev Dec 03 '20 at 12:44