OCSP is an interactive way to enable applications to check for the revocation of an identified certificate. In order to test for OCSP validity, we require the certificate that we are going to test, the certificate chain of such certificate, and the OCSP responder address.
Getting the server certificate
Get the server certificate that we want to check for OCSP validity:
Certificate will be store on the certificate.pem file.
Getting the intermediate certificates
Getting the multiple intermediary certificates for an entity.
These certificates will be store in chain.pem file.
Inside the chain.pem you'll find the following information:
Edit the file:
Delete the first certificate from the file, so that the file remains with only this certificate:
Please note that this might change in other situations. The idea is that you have only the chain of certificates without the final end-user certificate.
Get the OCSP responder for a certificate
Now we need to obtain the address of the OCSP responder, to know where to connect for querying. This might be done through manual inspection, or by using the command:
Make the OCSP request
Finally we may do the request to the OCSP responder, using the following command:
And we obtain the following result.
From this response we can confirm that the certificate status is good.