瀏覽器(除了Google Chrome,註)會透過 OCSP 協定去檢查憑證是否有效
憑證中有一個欄位是 OCSP URI, 瀏覽器就透過 OCSP URI 去檢查
openssl s_client -showcerts -connect google.com:443 < /dev/null | openssl x509 -text | grep OCSP
其 Request 透過 HTTP POST 方式傳 issuerNameHash, issuerKeyHash, serialNumber 這三個參數給 OCSP Server
Response 回應 CertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }
以下說明截錄 RFC 6960
The "good" state indicates a positive response to the status inquiry.
At a minimum, this positive response indicates that no certificate
with the requested certificate serial number currently within its
validity interval is revoked. This state does not necessarily mean
that the certificate was ever issued or that the time at which the
response was produced is within the certificate's validity interval.
Response extensions may be used to convey additional information on
assertions made by the responder regarding the status of the
certificate, such as a positive statement about issuance, validity,
etc.
The "revoked" state indicates that the certificate has been revoked,
either temporarily (the revocation reason is certificateHold) or
permanently. This state MAY also be returned if the associated CA
has no record of ever having issued a certificate with the
certificate serial number in the request, using any current or
previous issuing key (referred to as a "non-issued" certificate in
this document).
The "unknown" state indicates that the responder doesn't know about
the certificate being requested, usually because the request
indicates an unrecognized issuer that is not served by this
responder.
註: Google Chrome 因考量到速度, 不使用 OCSP, 而是使用自己的機制, 使用定期更新的 Local List