Check if the certificate of a domain was revoked

Just had the need to quickly check if the certificate of a domain was revoked or not, and found this tutorial:  OpenSSL: Manually verify a certificate against a CRL

Well done, but two problems:

  • If the server doesn’t send all certificates (including the root CA), the verify process will fail
  • Too much to type…

So i quickly created a bash script to address these issues and do all the stuff much more easily.

It takes one to three options:

  • <domain>: The domain you want to check (f.ex. “”)
  • <keepfiles>: (Optional) 0 or 1. Keep all the certs and don’t clean it up at the end (it creates all files in you current folder as <domain>.yyy.zzz)
  • <trusted CA file>: (Optional) The path to the file containing the locally installed/trusted CAs. On CentOS/Fedora it automatically uses “/etc/pki/tls/certs/ca-bundle.crt”. If you get an error like “error 2 at 2 depth lookup:unable to get issuer certificate” you very likely have to specify it.



if [ -z &quot;$1&quot; ]; then
    echo &quot;Usage: $0 &lt;domain&gt; [&lt;keepfiles (0/1)&gt;] [&lt;trusted CA file bu&lt;a href=&quot;; rel=&quot;&quot;&gt;;/a&gt;ndle path&gt;]&quot;
    exit 1

if [ &quot;$2&quot; = &quot;1&quot; ]; then

if [ ! -z &quot;$3&quot; ] &amp;&amp; [ ! -f &quot;$3&quot; ]; then
    echo &quot;ERROR: The file \&quot;${3}\&quot; does not exists. It must point to a file containing your local trusted CAs. For CentOS f.ex. it's \&quot;/etc/pki/tls/certs/ca-bundle.crt\&quot; by default.&quot;
    exit 1
    if [ -z &quot;$3&quot; ]; then
        # Check if the default CentOS CA bundle exists and use this if no other file was specified
        if [ -f &quot;/etc/pki/tls/certs/ca-bundle.crt&quot; ]; then

# Get the domain certificate
echo -n &quot;   Get domain certificate: &quot;
openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} 2&gt;&amp;1 &lt; /dev/null | sed -n '/-----BEGIN/,/-----END/p' &gt; ${DOMAIN}.cert.pem
echo &quot;OK&quot;

echo -n &quot;   Get the CRL file: &quot;
# Get CRL URL from cert and download it
CRLURL=<code>openssl x509 -noout -text -in ${DOMAIN}.cert.pem | grep -A 4 'X509v3 CRL Distribution Points' | grep URI | cut -d':' -f 2-10</code>

# Check if a CRL URL was returned and exit if not
if [ &quot;$CRLURL&quot; = &quot;&quot; ]; then
    echo -e &quot;ERROR: No CRL URL found in certificate. Verification not possible.\n      Could be that it's OCSP only.&quot;
    exit 1

wget --quiet -O ${DOMAIN}.crl.der $CRLURL

if [ $? -ne 0 ]; then
    echo &quot;ERROR: Failed to download CRL&quot;
    exit 1
echo &quot;OK&quot;

# Convert CRL to pem
echo -n &quot;   Convert CRL: &quot;
openssl crl -inform DER -in ${DOMAIN}.crl.der -outform PEM -out ${DOMAIN}.crl.pem
echo &quot;OK&quot;

# Get all certificates in the chain
echo -n &quot;   Get all certificates in chain: &quot;
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} -showcerts -tlsextdebug -tls1 2&gt;&amp;1 &lt;/dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate &gt;&gt; ${DOMAIN}.chain.pem ; done; IFS=$OLDIFS
echo &quot;OK&quot;

# Merge local CAs, chain and CRL
echo -n &quot;   Merge chain and CRL: &quot;

cat $LOCALCAFILE ${DOMAIN}.chain.pem ${DOMAIN}.crl.pem &gt; ${DOMAIN}.crl_chain.pem
echo &quot;OK&quot;

# Finally, check if the cert was revoked
echo &quot;   Verify certificate:&quot;
openssl verify -crl_check -CAfile ${DOMAIN}.crl_chain.pem ${DOMAIN}.cert.pem

# Cleanup
if [ $KEEPFILES = 0 ]; then
    rm -f ${DOMAIN}.cert.pem ${DOMAIN}.crl.der ${DOMAIN}.crl.pem ${DOMAIN}.chain.pem ${DOMAIN}.crl_chain.pem

exit 0
This entry was posted in Bash, Linux, Security, SSL/TLS and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *