That's the chain of trust where the rootCA signs the intermediateCA and the IntermediateCA signs the server certificate request and issues the certificate.
The chain could be long and deep, but typical it's 3 or 4 links deep. In this example we will check a Entrust Chain which looks like the following;
The tool we will use is the ocsptool tool. It simple but does require you to have the certificate in the chain path. You will check each level of the chain bottom to top all the way to the Root.crt.
Here's a screenshot of Socpuppets doing just this. The ocsp protocol is being used and you can easily find the ocsp URL via opeenssl
e.g ( I'm query my webserver certificate to find the ocsp responder server uri that we will direct the OCSP query against )
{ responder URL as listed in the certificates }
URI:http://ocsp.entrust.net
Okay let's start checking the chain by using ocsptool and the responder ;
1st The actual web ServerCertificate to the IntermediateCA that signed that cert
Next, the 2 intermediates CA
Lastly, the rootCa and IntermediateCA
And finally here's how the display would look like if the certificate was actually revoked.
Using the ocsp tool does the followings
- ensure that from the client that ocsp is working
- that you have a valid ocsp responder server for the query & within that chain
- allows you to validate any part of the CAchain from the root to the end-certificate
- validate the Certificate Statues as either good or revoked
What it will not do;
- validate the expiration date , that's not a function of the OCSP query that's a function of the web-client
- will not validate that your web-browser client is actually using the OCSP services
The OCSP is pretty much reliable and has very few weakness or vulnerabilities outside of attack if OCSP stabling is in use from the server.
I'm curious if one manages to compromise a webserver certificate, and then attack the OCSP infrastructure so that the OCSP responders can't not reliably send the response, could a web end-user mistakenly connect to a compromised website? Most browsers fall thru to allow if the OCSP responder does not respond.
You can learn more about ocsp here https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
To confirm if your web-browser is using OCSP, you can use wireshark/tcpdump and monitor traffic to a known OCSP responder address. Every https session to a site that uses that OCSP rsponder should generate a OCSP request.
e.g
Ken Felix
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment