To check if the certificate for google.com has been revoked, I tried the following command:
curl https://www.google.com --cacert GeoTrust_Global_CA.pem --crlfile gtglobal.pem -v
, but I got the dreaded "SSL certificate problem" error:
* About to connect() to www.google.com port 443 (#0) * Trying 22.214.171.124... connected * successfully set certificate verify locations: * CAfile: GeoTrust_Global_CA.pem CApath: /etc/ssl/certs * successfully load CRL file: * CRLfile: gtglobal.pem * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
I guess this error is not correct, since Google should have a valid certificate.
Do you know how I could issue a curl command that does this correctly?
If you're wondering why I used those specific files (GeoTrust_Global_CA.pem and gtglobal.pem) in the curl command, this is how I proceeded:
- I first looked at what CA issued the certificate for https://www.google.com. Turns out it is GeoTrust Global CA;
- I downloaded the GeoTrust Global CA root certificate from here (this is the GeoTrust_Global_CA.pem file);
- I downloaded the corresponding CRL (certificate revocation list) from here (this is the gtglobal.pem file).