OPENSSL verify ocsp
1. Get a certificate with an OCSP
openssl s_client -connect revoked.badssl.com:443 \
2>&1 < /dev/null \
| sed -n '/-----BEGIN/,/-----END/p' \
< cert.pem \
Exmaple certificate
-----BEGIN CERTIFICATE-----
MIIGhjCCBW6gAwIBAgIQDS5nopiFO5pUUuOihaRXLzANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypS
YXBpZFNTTCBUTFMgRFYgUlNBIE1peGVkIFNIQTI1NiAyMDIwIENBLTEwHhcNMjEx
MDI3MDAwMDAwWhcNMjIxMDI3MjM1OTU5WjAdMRswGQYDVQQDExJyZXZva2VkLmJh
ZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwdi1VZtxy
iqCehZI4f1vhk42tBsit6Ym07x53WzNFFmB9MzhoBNfJg0KD2TBLVEkUyu2+DHa6
X6ZcM3g/OfJJqIgy7lMhFNOqXFg8Ocz3gLEnH1R5e2yL/0GqOSSVX3G8Sb85O6XV
4aXeHUCBJdyKR4L+zXxLLAS70ydWUaBh8tLLVQglKoXbLAaNDWHCWz6bRtxY/xMn
vgpEHmj+4fa33p+ObMS1GfrX009VqGF522Evapws8cSBu57SAgW6nBSg+fNUeX1p
2bpmHIeVQVAO+V7ht731MSTFISEDis9teFje2TB9A0JS1rAbuclUG1royFPwrCuC
ECemqXAlrvinAgMBAAGjggOEMIIDgDAfBgNVHSMEGDAWgBSkjeW+fHnkcCNtLik0
rSNY3PUxfzAdBgNVHQ4EFgQUsMjOILJ4zB0j7/D+1g4pS6wVcjwwHQYDVR0RBBYw
FIIScmV2b2tlZC5iYWRzc2wuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwgZsGA1UdHwSBkzCBkDBGoESgQoZAaHR0cDov
L2NybDMuZGlnaWNlcnQuY29tL1JhcGlkU1NMVExTRFZSU0FNaXhlZFNIQTI1NjIw
MjBDQS0xLmNybDBGoESgQoZAaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL1JhcGlk
U1NMVExTRFZSU0FNaXhlZFNIQTI1NjIwMjBDQS0xLmNybDA+BgNVHSAENzA1MDMG
BmeBDAECATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D
UFMwgYUGCCsGAQUFBwEBBHkwdzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
aWNlcnQuY29tME8GCCsGAQUFBzAChkNodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5j
b20vUmFwaWRTU0xUTFNEVlJTQU1peGVkU0hBMjU2MjAyMENBLTEuY3J0MAkGA1Ud
EwQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2ACl5vvCeOTkh8FZzn2Ol
d+W+V32cYAr4+U1dJlwlXceEAAABfMOk9zcAAAQDAEcwRQIgd7B5GPPeNHD68hvC
MjnIyJWwyHqPYiNY3a35G76Ele0CIQDdJWhHo4RflbHq57wKCZL5WlZyMewH1saX
TUx7kHVkrgB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXlAAABfMOk
92QAAAQDAEcwRQIgTCL/ZTlrfnsVIXlEwuu4TCrJpceszl9qXei3JMV27BkCIQCU
XgLuFGCAlrwOORYBqDefFbm5ug+iDFoXkKXhMzZF8gB1AEHIyrHfIkZKEMahOglC
h15OMYsbA+vrS8do8JBilgb2AAABfMOk9t8AAAQDAEYwRAIgaIpfULd22n40MqV3
Aqb6p4e720FcgEAsBeUJ3T/MbZ8CIHsdZEhhGXW2N9E8Hjh4hnryeRQIQujdD/84
Ojw22b/ZMA0GCSqGSIb3DQEBCwUAA4IBAQDVjL2+5NyUpLfzSa/EmSbaJ2ja6LjB
usYwthaqUP70dwfrmfLa3XcdGYL3JCo7oGPg2wm+EH/FH4G6r55JzjIwSRePdMbW
zWrYO0d78OAMu8COOh2jf5Ksfo3cpLUwKlcTI6fuJcY37UiyStAB/IXlweLg3Ixh
dKqvaCgmRZSjsUzJXMeSomxKgG/dSPpPBLJKcxfy+R6OXOkj7FP/PseKthiJvHdF
Z0uac3VrV8jAasuEHfTt73AWd47zGo67lfPr+FrkqbHfHTarCt2Rry1xPKuXGAPc
XBqpsdu2SEDHGaeBFAsNzjhv2s/OD2QTKPNNZxss0RZUGW+qCFSjTWdk
-----END CERTIFICATE-----
2. Get the issuer certificate
openssl s_client -connect revoked.badssl.com:443 -showcerts 2>&1 < /dev/null
Example certificate chain:
-----BEGIN CERTIFICATE-----
MIIGhjCCBW6gAwIBAgIQDS5nopiFO5pUUuOihaRXLzANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypS
YXBpZFNTTCBUTFMgRFYgUlNBIE1peGVkIFNIQTI1NiAyMDIwIENBLTEwHhcNMjEx
MDI3MDAwMDAwWhcNMjIxMDI3MjM1OTU5WjAdMRswGQYDVQQDExJyZXZva2VkLmJh
ZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwdi1VZtxy
iqCehZI4f1vhk42tBsit6Ym07x53WzNFFmB9MzhoBNfJg0KD2TBLVEkUyu2+DHa6
X6ZcM3g/OfJJqIgy7lMhFNOqXFg8Ocz3gLEnH1R5e2yL/0GqOSSVX3G8Sb85O6XV
4aXeHUCBJdyKR4L+zXxLLAS70ydWUaBh8tLLVQglKoXbLAaNDWHCWz6bRtxY/xMn
vgpEHmj+4fa33p+ObMS1GfrX009VqGF522Evapws8cSBu57SAgW6nBSg+fNUeX1p
2bpmHIeVQVAO+V7ht731MSTFISEDis9teFje2TB9A0JS1rAbuclUG1royFPwrCuC
ECemqXAlrvinAgMBAAGjggOEMIIDgDAfBgNVHSMEGDAWgBSkjeW+fHnkcCNtLik0
rSNY3PUxfzAdBgNVHQ4EFgQUsMjOILJ4zB0j7/D+1g4pS6wVcjwwHQYDVR0RBBYw
FIIScmV2b2tlZC5iYWRzc2wuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwgZsGA1UdHwSBkzCBkDBGoESgQoZAaHR0cDov
L2NybDMuZGlnaWNlcnQuY29tL1JhcGlkU1NMVExTRFZSU0FNaXhlZFNIQTI1NjIw
MjBDQS0xLmNybDBGoESgQoZAaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL1JhcGlk
U1NMVExTRFZSU0FNaXhlZFNIQTI1NjIwMjBDQS0xLmNybDA+BgNVHSAENzA1MDMG
BmeBDAECATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D
UFMwgYUGCCsGAQUFBwEBBHkwdzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
aWNlcnQuY29tME8GCCsGAQUFBzAChkNodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5j
b20vUmFwaWRTU0xUTFNEVlJTQU1peGVkU0hBMjU2MjAyMENBLTEuY3J0MAkGA1Ud
EwQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2ACl5vvCeOTkh8FZzn2Ol
d+W+V32cYAr4+U1dJlwlXceEAAABfMOk9zcAAAQDAEcwRQIgd7B5GPPeNHD68hvC
MjnIyJWwyHqPYiNY3a35G76Ele0CIQDdJWhHo4RflbHq57wKCZL5WlZyMewH1saX
TUx7kHVkrgB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXlAAABfMOk
92QAAAQDAEcwRQIgTCL/ZTlrfnsVIXlEwuu4TCrJpceszl9qXei3JMV27BkCIQCU
XgLuFGCAlrwOORYBqDefFbm5ug+iDFoXkKXhMzZF8gB1AEHIyrHfIkZKEMahOglC
h15OMYsbA+vrS8do8JBilgb2AAABfMOk9t8AAAQDAEYwRAIgaIpfULd22n40MqV3
Aqb6p4e720FcgEAsBeUJ3T/MbZ8CIHsdZEhhGXW2N9E8Hjh4hnryeRQIQujdD/84
Ojw22b/ZMA0GCSqGSIb3DQEBCwUAA4IBAQDVjL2+5NyUpLfzSa/EmSbaJ2ja6LjB
usYwthaqUP70dwfrmfLa3XcdGYL3JCo7oGPg2wm+EH/FH4G6r55JzjIwSRePdMbW
zWrYO0d78OAMu8COOh2jf5Ksfo3cpLUwKlcTI6fuJcY37UiyStAB/IXlweLg3Ixh
dKqvaCgmRZSjsUzJXMeSomxKgG/dSPpPBLJKcxfy+R6OXOkj7FP/PseKthiJvHdF
Z0uac3VrV8jAasuEHfTt73AWd47zGo67lfPr+FrkqbHfHTarCt2Rry1xPKuXGAPc
XBqpsdu2SEDHGaeBFAsNzjhv2s/OD2QTKPNNZxss0RZUGW+qCFSjTWdk
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgIQB5g2A63jmQghnKAMJ7yKbDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMDA3MTYxMjI1MjdaFw0yMzA1MzEyMzU5NTlaMFkxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMzAxBgNVBAMTKlJhcGlkU1NMIFRMUyBE
ViBSU0EgTWl4ZWQgU0hBMjU2IDIwMjAgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANpuQ1VVmXvZlaJmxGVYotAMFzoApohbJAeNpzN+49LbgkrM
Lv2tblII8H43vN7UFumxV7lJdPwLP22qa0sV9cwCr6QZoGEobda+4pufG0aSfHQC
QhulaqKpPcYYOPjTwgqJA84AFYj8l/IeQ8n01VyCurMIHA478ts2G6GGtEx0ucnE
fV2QHUL64EC2yh7ybboo5v8nFWV4lx/xcfxoxkFTVnAIRgHrH2vUdOiV9slOix3z
5KPs2rK2bbach8Sh5GSkgp2HRoS/my0tCq1vjyLJeP0aNwPd3rk5O8LiffLev9j+
UKZo0tt0VvTLkdGmSN4h1mVY6DnGfOwp1C5SK0MCAwEAAaOCAgswggIHMB0GA1Ud
DgQWBBSkjeW+fHnkcCNtLik0rSNY3PUxfzAfBgNVHSMEGDAWgBQD3lA1VtFMu2bw
o+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wewYDVR0fBHQwcjA3
oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9v
dENBLmNybDA3oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
R2xvYmFsUm9vdENBLmNybDCBzgYDVR0gBIHGMIHDMIHABgRVHSAAMIG3MCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcC
AjB+DHxBbnkgdXNlIG9mIHRoaXMgQ2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNj
ZXB0YW5jZSBvZiB0aGUgUmVseWluZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBh
dCBodHRwczovL3d3dy5kaWdpY2VydC5jb20vcnBhLXVhMA0GCSqGSIb3DQEBCwUA
A4IBAQAi49xtSOuOygBycy50quCThG45xIdUAsQCaXFVRa9asPaB/jLINXJL3qV9
J0Gh2bZM0k4yOMeAMZ57smP6JkcJihhOFlfQa18aljd+xNc6b+GX6oFcCHGr+gsE
yPM8qvlKGxc5T5eHVzV6jpjpyzl6VEKpaxH6gdGVpQVgjkOR9yY9XAUlFnzlOCpq
sm7r2ZUKpDfrhUnVzX2nSM15XSj48rVBBAnGJWkLPijlACd3sWFMVUiKRz1C5PZy
el2l7J/W4d99KFLSYgoy5GDmARpwLc//fXfkr40nMY8ibCmxCsjXQTe0fJbtrrLL
yWQlk9VDV296EI/kQOJNLVEkJ54P
-----END CERTIFICATE-----
3. Send the OCSP request
openssl ocsp -issuer chain.pem -cert revoked.badssl.pem -text -url http://ocsp.digicert.com
OCSP Request/Response
1. OCSP Request
3051304f304d304b3049300906052b0e03021a0500041474b4e72319c765921540447bc7ce3e90c21876eb0414a48de5be7c79e470236d2e2934ad2358dcf5317f02100d2e67a298853b9a5452e3a285a4572f
2. OCSP Response: revoked certificate
308201e60a0100a08201df308201db06092b0601050507300101048201cc308201c83081b1a2160414a48de5be7c79e470236d2e2934ad2358dcf5317f180f32303232303632373031323435395a3081853081823049300906052b0e03021a0500041474b4e72319c765921540447bc7ce3e90c21876eb0414a48de5be7c79e470236d2e2934ad2358dcf5317f02100d2e67a298853b9a5452e3a285a4572fa111180f32303231313032373231333834385a180f32303232303632373031303930315aa011180f32303232303730343030323430315a300d06092a864886f70d01010b050003820101007041cc26fcea875f92a10ef21a3b09e7739840683fc88d61e5130456bba56fa3a66a3198b049d68289f03d5b1ad27378608ee962acedb14c67002d1cc941d1cd251b89814334318105e95baa910c914c6bb5d78951f193db76238a956dfc04c370d0a31b2c1c04058f69f2886bd20b35669f8b0fd966a51358dcff87e6b6338f52c8d19f7c7e9ff17a104344d1d3b800f776f50c9927e6524bf431f2b78847549fcada38c0ac9ad8d02edb0d7b3a249afca30032a6ce61898dc8f222c0b53d8227ff7ed8b2fae088ec813c52c2ea44418e5d1be2cb1094304ebcc987bc893149b50195d331b9370bce2b7ce909c38fb20843c8f08b21c262915e392de4c2d408
3. OCSP Response: valid certificate
308205940a0100a082058d3082058906092b06010505073001010482057a3082057630819aa2160414d677fe585db30e7d5a90eadab153ffa8ba74cca6180f32303232303632373037323131305a306f306d3045300906052b0e03021a050004146b7064fe6a7443dc2d6d5b79ecaca7ae5c2ec33f0414f8ef7ff2cd7867a8de6f8f248d88f1870302b3eb020c0c9f8ed512b7e41db03922908000180f32303232303632373037323131305aa011180f32303232303730313037323131305a300d06092a864886f70d01010b0500038201010018e2395197ce93d41bd8626d120b2e71b60c5a0581d4948ca03729fc6d54a368d106394cb0ffe1a5e7de56afaa6eee83a3ee326cabb1a188954907819988a7f2ee19704b18e90f07b38dc360344e7a8366b46ad0f700de3dab8a72e52785da14f407f6e22da96b953316601e4ebb0e0f9f9d77152f26287de7de5bfd9650edb15b57f71d1aaf4fd389ed2668ac453da1f06addc593cbfb43d649b26f42d5df4b3e2a70255af65afc68046b623eaf79bda7bca76bc72ed86075a44b9ee5457113844477fc84ab7b0353c6240e66fc7ae6d3379bac87430c77150c37908c1739c6cc84a699228c5e4b4f852f93c9b1ade9f52f5c9f04678f03bb005de0a0cf9d4aa08203c1308203bd308203b9308202a1a003020102020c20f4fd7c56325a665c31c08c300d06092a864886f70d01010b05003050310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361312630240603550403131d476c6f62616c5369676e20525341204f562053534c2043412032303138301e170d3232303531323037343131365a170d3232303831323037343131355a306b310b300906035504061302424531193017060355040a0c10476c6f62616c5369676e206e762d7361311530130603550405130c323031393036313130303034312a302806035504030c2167737273616f7673736c6361323031384341204f43535020526573706f6e64657230820122300d06092a864886f70d01010105000382010f003082010a0282010100a1ead9b49db6d1ece8e7e8e88e4bdc38c765010c70adec2a32fd10db42bc8c088c1595f97651ff44dac532d14b9799268422bc28ee07d6db5e87b38f492c59ccd503d229a645089a48ff445eb6a56546e0f4359c1691a4b1ced3ccec0382e703e54cb5428de691b2472badc943c356e68a482825d7dc4e8c38d702ceaf2a0a441e6dbaf57c16204e5850e0a96650e8a6635ccc4523165ecb9374815c236a76f73ed7d22f59e0a601e2f358ff15cd61e93269c62cf49397de856f1a826fae5722609788f71ed5f12f49d7ff2c43941dd13cdd286c8dbed0b53ca27e459ba7f1d6c7f6bf82478bfa785872e31cb04833220fd9e4d1433bd832210130f28df4bef70203010001a3783076301f0603551d23041830168014f8ef7ff2cd7867a8de6f8f248d88f1870302b3eb300f06092b06010505073001050402050030130603551d25040c300a06082b06010505070309301d0603551d0e04160414d677fe585db30e7d5a90eadab153ffa8ba74cca6300e0603551d0f0101ff040403020780300d06092a864886f70d01010b0500038201010035516bb0bab156247f76aaf338343309e0b315bb5dd3f6fc8e7485b80af2d8cb0b3bd15e2b1abc3f7cac11b4da80b97d861cafbbf9efec9f05aadd99dfa8b7eafd21d2bc78d4c63599657b78ad2f926373e9f8d53f9b89f7ae0519f52ffbeda7ea4e274fcd800bc39fc302b15919c87ee9906b0c5939f608efaf9c3b09a59e17b45cf6dc1d849afaa7f48c7139619d23f99d06494c869d8f4f2aee5b337f6966fc0c9f05f916bab0d75a48014b58ad3091854963a86b5118c30d88ebf88ba625146ab58aa6a6915c7e8cae47d0dec7bf17a470d2c75a29af22e16795efb6df11798c08eb9e621ff8eb614554d81b2bf3d765e1aacfd964a2980f81b6953e5362