'How do I programmatically verify a certificate chain using OCSP?

Suppose I receive a chain of certificates: [leaf cert, intermediate cert 1, intermediate cert 2, intermediate cert 3...] How do I manually verify that the certificate has not been revoked using OCSP requests? The leaf certificate has OCSP server attached to it.

I have listed the possible options that I have thought of:

  1. issue OCSP request with the CreateOCSPRequest(intermediate cert, leaf cert) for each intermediate cert in the cert chain (ie. CreateOCSPRequest(intermediate cert 3, leaf cert), CreateOCSPRequest(intermediate cert 2, leaf cert), CreateOCSPRequest(intermediate cert 1, leaf cert), etc.)
  2. just one OCSP request with CreateOCSPRequest(intermediate cert 1, leaf cert), not checking the other certs in the chain
  3. issue OCSP request with the CreateOCSPRequest(intermediate cert, leaf cert) for each intermediate cert in the cert chain, except the last cert in the cert chain (which appears to be the approach here: https://sourcegraph.com/github.com/cockroachdb/cockroach/-/blob/pkg/security/ocsp.go?L48)
  4. issue OCSP request with the CreateOCSPRequest(intermediate cert, leaf cert) for each intermediate cert in the cert chain, until we reach a root cert that we can trust
  5. issue OCSP request with CreateOCSPRequest(cert's issuer cert, cert) for each intermediate cert in the cert chain (have the intermediate cert as the cert to check in the OSCP request, instead of the leaf cert, so we issue requests CreateOCSPRequest(intermediate cert 1, leaf cert),CreateOCSPRequest(intermediate cert 2, intermediate cert 1), CreateOCSPRequest(intermediate cert 3, intermediate cert 2), etc.)
  6. something else

My current implementation is option 1. I don't think my solution (option 1) is the right answer, however, as I get an unauthorized error when I try to issue an OCSP request with (intermediate cert 4, leaf cert) in my test cert chain.

CreateOCSPRequest(issuer, cert) is the placeholder function that creates an OCSP request with the issuer and cert. I'm using the ocsp.CreateRequest in Golang, although I'm sure there are similar functions in other languages.

sslssl-certificateclient-certificatespkiocsp


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Problem with configuring ssl certificates in asp .net core API

Problem with configuring ssl certificates in asp .net core API

Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Turn off or bypass SSL Certificate Verification in Swift iOS

ActiveMQ over SSL: "acceptInvalidBrokerCert=true" not working

Install SSL certificates in my AWS canary puppeteer script

Getting this error while installing DFX on my mac "curl: (60) SSL certificate problem: certificate has expired"

How to install a custom certificate in Symfony server?

ssl ,urllib3,requests .exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:548)

How to fix javax.net.ssl.SSLHandshakeException even though i have already added the certificate

Renew kubernetes pki after expired

Error: unable to verify the first certificate in nodejs

How does wildcard ssl certificate match domains

How to create a self signed cerficate using command prompt?

SSLHandshakeException in Eclipse Temurin JRE8 Alpine container for self-signed certificate