To verify a certificates thru OCSP responder is more demanding in these days and here is simple steps to test OCSP responder from your network environment.
1. Install OpenSSL. It’s free tools and used as OCSP client. In this example, window 64bit version is installed.
http://gnuwin32.sourceforge.net/packages/openssl.htm
– During installation, "OpenSSL-Win64 directory name is used.
ex> C:/OpenSSL-Win64/bin> openssl
2. From the prompt "OpenSSl>" type "ocsp -issuer issuer_cert.pem -cert cert.pem -text -CAfile
Root_cert.pem -url http://ocsp.disa.mil:80"
– issuer_cert.pem in PEM Format ; It would be the issuer certificate. The issuer is the one that issued the certificate in question.
– cert.pem in PEM Format ; This is the file for the certificate that you want to verify to the OCSP responder.
– Root_cert.pem in PEM Format ; It is would be DoD PKI Root CA-2’s certificate ( See #4 how to get it)
* issuer_cert.pem, cert.pem and Root_cert.pem are should be located at C:/OpenSSL-Win64/bin directory.
**See #4 in this article to see how to create those files.
Actual output below, once you apply above command.
** Below sample certificate is not valid anymore.
** Disable your network connection and try above ocsp request, you will see the difference.
3. Firewall Rule.
OCSP Responder is using http / port 80. So, make sure your firewall allows outbound port 80 traffic(which is normally opened). If not, open it. You will get different IP addresses of OCSP responder server depend on where you are.
ex) Here is the example
4. How to get / make temp *.pem file?
– It would be troublesome, if you are not savvy on certificate world(?)
– If you are already familiar with certificate format, you don’t need below steps.
– To get all certificates you need, such as issuer and root certs (e.g. Root CA-2, CA-21, etc.), go to this link http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b and download a file / "rel3_dodroot_2048" on your desktop.
– Then export certificates from the file.
5. When double click the file / "rel3_dodroot_2048", you will see below window popped. Right hand side, you can see CA-11, CA-21 and Root.
6. Let’s export DoD Root cert from the file.
7. Click "Next"
8. Choose "Base-64 encoded X.509(.CER) and Click "Next"
9. Specify the name of the file you want to export
10. Verify and Click "Finish"
11. The export was successful.
12. Finally, you need to rename the file with extension *.PEM
13. Open the exported file to see below format. Create other *.pem files using a file from rel3_dodroot_2048 or any other certificate source
File format *.PEM will look like below
—–BEGIN CERTIFICATE—–
MIIDcDCCAligAwIBAgIBBTANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJVUzEY
MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsT
A1BLSTEWMBQGA1UEAxMNRG9EIFJvb3QgQ0EgMjAeFw0wNDEyMTMxNTAwMTBaFw0y
OTEyMDUxNTAwMTBaMFsxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVy
:
:
—–END CERTIFICATE—–