Validation of SSL certificates for revocation

Nowadays, one of the most important aspects of secure information transmission is encryption. Transmission data from client to server is encrypted using an SSL certificate. A certificate is a public key certified by a certification authority.

All SSL certificates are usually issued for a limited period, after which they expire and must be reissued. However, there are times when a certificate can be revoked before it expires. There are quite a few reasons for revoking an SSL certificate, the most common of them is that the private key has been lost or compromised, the company registration data has changed, etc.

There are 2 alternative ways to check if the SSL certificate is in revocation lists:

  • CRL (Certificate Revocation List) - checks for the serial number of the certificate in the revocation list.
  • OCSP (Online Certificate Status Protocol) - a certificate is sent to a specialized server, where its status is checked.

Consider both of these methods in more detail using the Ubuntu console. And as an example, let's check the revocation certificate for the domain


Download the certificate of the domain of interest to us:

echo -n | openssl s_client -connect -servername 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/

Thanks legioner for the hint to add the -servername parameter - it is necessary for the correct selection of the certificate, if there are several of them (SNI) on one IP address.

We look at the details of the certificate:

openssl x509 -noout -text -in /tmp/

Here we are interested in the “Full Name” item in the “X509v3 CRL Distribution Points” section.

Download this link CLR list:


We tear out the serial number of the certificate:

openssl x509 -in /tmp/ -noout -serial

See if this number is in the CRL list:

openssl crl -inform DER -text -in COMODORSADomainValidationSecureServerCA.crl | grep "90E58B0601C3AD98F07AEE092041C437"

If nothing is found, then the certificate is not revoked.


We will display the certificate of the domain of interest to us and the chain of intermediate (Intermediate) certificates:

echo -n | openssl s_client -connect -showcerts

Save the domain certificate and intermediate certificate into files (code between the lines ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----):


Define the OCSP server:

openssl x509 -in /tmp/ -noout -ocsp_uri

Send a request to the OCSP server to check the certificate for revocation:

openssl ocsp -url -issuer /tmp/intermediate.crt -cert /tmp/ -text

If everything is correct, the OCSP server should return the certificate information.

Here the last lines are of interest:

Response verify OK
/tmp/ good

The absence of a certificate in the list of revoked is indicated by the value “good”; if the certificate is revoked, the value will be “revoked”.


It is not always convenient to check SSL certificates for manual revocation, so the verification process can be automated.

To do this, use Github to create a ready-made script that checks certificates using the CRL method:


Next, make the script executable:

chmod a+x

Now you can check both already installed certificates for the domain and those stored locally in files (option -f):

./ -v


The script can check certificates not only from the console, it is also quite suitable as a checker for Zabbix, so all the dirty work of tracking certificates into the revocation list can be assigned to the monitoring system.

Go to the Zabbix config /etc/zabbix/zabbix_server.conf and see where the scripts for external checks are:


Copy our script into this directory and restart Zabbix:

sudo cp /etc/zabbix/externalscripts/
sudo systemctl restart zabbix-server

Go to the web interface and create a template (Configuration >> Templates >> Create template). We specify “Template SSL Checking” as the template name. Then inside the template we create the data item (Item) “SSL Certificate in Revocation List”, with “ [{HOST.NAME}]” as the key, with the “External check” check type. The inspection interval can be set at your discretion depending on the criticality of the project.

You will also need two triggers:

1. To signal a certificate revocation "Certificate for domain {HOST.NAME} is in revocation list"
Expression: "{Template Custom SSL Checking: [{HOST.NAME}]. Last ()} = 1 "

2. To signal an error in case something goes wrong (for example, there are problems with the CLR server, etc.) "Error to check certificate for domain {HOST.NAME}"
Expression: "{Template Custom SSL Checking: [{HOST.NAME}]. Last ()} = 2 "

Do not forget in the actions (Configuration >> Actions) to configure the notification method in case of triggering.

Now it remains to create hosts, whose certificates we will regularly check (Configuration >> Hosts >> Create host). On the Templates tab, we link our Template SSL Checking template.

And that's it! You can sleep peacefully: if the SSL certificate of your domain for any reason falls into the revoked list, Zabbix will immediately inform you.

Also popular now: