How the heck do you test an HTTPS site for a revoked cert?

I'm currently using nagios to do monitoring, including using the check_http options to check for an SSL cert that expires soon, etc. What I'd like to do is include testing for revoked certs for each of the sites that I monitor. Sounds easy, right? Well:

  • check_http doesn't seem to check for revoked certs. At least, it didn't beep when it happened recently, which lead to some confusion
  • Openssl's verify has -crl_check and -crl_check_all, which would be great, but I care about OSCP more than CRLs (since that's what browsers will care about)
  • Openssl has an oscp mode, but it looks like I'd have to do a bunch of work to get the cert in the right place, figure out where the OSCP server is, etc.

I've found a bunch of articles about writing code to do OSCP checking, but there's got to be a nice program that does it, right? What I want is a Nagios check, or something that I could use as one. In my perfect world it would look something like:

check_http_with_oscp -I (IP) -H (hostname) -p 443

Anyone?


I'm afraid that I can only give pointers here, but you should be able to put something together without too much pain.

openssl's s_client -showcerts will dump the PEM encoded certs. You can extract each of them with a regexp pretty easily. Then pipe them through openssl x509 -text to extract the OCSP url. Then openssl ocsp can be used to send an OCSP request to the responder:

http://openssl.org/docs/apps/ocsp.html

You'll need the parent certificate in each case, which you'll have except for the root certificate. So, apart from maybe hardcoding that, it's quite self contained. (You could also download the root certificate via the AIA extension URL.)