{"id":10463,"date":"2021-03-10T15:49:17","date_gmt":"2021-03-10T15:49:17","guid":{"rendered":"http:\/\/www.max-sperling.bplaced.net\/?p=10463"},"modified":"2024-02-16T10:36:28","modified_gmt":"2024-02-16T10:36:28","slug":"certificate-status-checking","status":"publish","type":"post","link":"http:\/\/www.max-sperling.bplaced.net\/?p=10463","title":{"rendered":"Certificate status checking"},"content":{"rendered":"

A certificate has a specific expiary date and if it got untrusted by the CA in this time (e.g. its private key has been leaked) you want to know that.<\/p>\n

\n

CRL<\/strong> (Certificate Revocation List)
\n

\"PlantUML\nparticipant “Client” as C
\nparticipant “Server” as S
\nparticipant “CRL Server” as CRLS<\/p>\n

== Connection setup ==
\nC -> S : Start TLS handshake
\nS -> C : Send certificate
\nC -> CRLS : Download CRL
\nC -> C : Check cert. status
\nalt Certificate revoked
\n C -> S : Abort TLS handshake
\nelse else
\n C -> S : Finish TLS handshake
\nend
\n\" usemap=\"#plantuml_map\"><\/p><\/p>\n

Contra: Downloading the CRL generates traffic.<\/p>\n

\n

OCSP<\/strong> (Online Certificate Status Protocol)
\n

\"PlantUML\nparticipant “Client” as C
\nparticipant “Server” as S
\nparticipant “OCSP Server” as OCSPS
\nparticipant “CRL Server” as CRS<\/p>\n

== Precondition ==
\nOCSPS -> CRS : Download CRL
\n== Connection setup ==
\nC -> S : Start TLS handshake
\nS -> C : Send certificate
\nC -> OCSPS : Request cert. status via serial number
\nalt Certificate revoked
\n C -> S : Abort TLS handshake
\nelse else
\n C -> S : Finish TLS handshake
\nend
\n\" usemap=\"#plantuml_map\"><\/p><\/p>\n

Contra: The OSCP Server knows your requests.<\/p>\n

\n

OCSP Stapling<\/strong> (Online Certificate Status Protocol Stapling)
\n

\"PlantUML\nparticipant “Client” as C
\nparticipant “Server” as S
\nparticipant “OCSP Server” as OCSPS
\nparticipant “CRL Server” as CRS<\/p>\n

== Precondition ==
\nOCSPS -> CRS : Download CRL
\n== Connection setup ==
\nC -> S : Start TLS handshake
\nS -> OCSPS: Request cert. status via serial number
\nS -> C : Send certificate + status
\nalt Certificate revoked
\n C -> S : Abort TLS handshake
\nelse else
\n C -> S : Finish TLS handshake
\nend
\n\" usemap=\"#plantuml_map\"><\/p><\/p>\n

Contra: Nothing yet.<\/p>\n","protected":false},"excerpt":{"rendered":"

A certificate has a specific expiary date and if it got untrusted by the CA in this time (e.g. its<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[26],"tags":[],"_links":{"self":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10463"}],"collection":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10463"}],"version-history":[{"count":1,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10463\/revisions"}],"predecessor-version":[{"id":16802,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/10463\/revisions\/16802"}],"wp:attachment":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10463"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}