How do I check if my SSL certificates have been revoked

Solution 1:

Get the ocsp url from your cert:

$ openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem
http://ocsp.int-x1.letsencrypt.org/
$

Send a request to the ocsp server to check if the cert is revoked or not:

$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 10:00:00 2015 GMT
        Next Update: Nov  5 10:00:00 2015 GMT
$

this is a good cert.

This is a revoked cert:

$  openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain3.pem -cert /etc/letsencrypt/archive/31337.it/cert3.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"
...
        This Update: Oct 29 12:00:00 2015 GMT
        Next Update: Nov  5 12:00:00 2015 GMT
        Revocation Time: Oct 29 12:33:57 2015 GMT
$

Solution 2:

You can use certutil on Windows:

If you have a certificate and want to verify its validity, perform the following command:

certutil -f –urlfetch -verify [FilenameOfCertificate]

For example, use

certutil -f –urlfetch -verify mycertificatefile.cer

Source / More info: TechNet

Additionally, be sure to check with your CA. Just because you rekey the cert / get a new one, does not mean they automatically revoke it!

Solution 3:

You can use this SSLLabs service to test SSL certificates, but you need them to be accessible from web. Moreover you can find out some more information, cause this service provide some audit.