Linux – how to use curl to verify if a site’s certificate has been revoked

certificatecurllinux

To check if the certificate for google.com has been revoked, I tried the following command:

curl https://www.google.com --cacert GeoTrust_Global_CA.pem --crlfile gtglobal.pem -v

, but I got the dreaded "SSL certificate problem" error:

* About to connect() to www.google.com port 443 (#0)
*   Trying 81.24.29.91... connected
* successfully set certificate verify locations:
*   CAfile: GeoTrust_Global_CA.pem
  CApath: /etc/ssl/certs
* successfully load CRL file:
*   CRLfile: gtglobal.pem
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

I guess this error is not correct, since Google should have a valid certificate.

Do you know how I could issue a curl command that does this correctly?

More details

If you're wondering why I used those specific files (GeoTrust_Global_CA.pem and gtglobal.pem) in the curl command, this is how I proceeded:

  • I first looked at what CA issued the certificate for https://www.google.com. Turns out it is GeoTrust Global CA;
  • I downloaded the GeoTrust Global CA root certificate from here (this is the GeoTrust_Global_CA.pem file);
  • I downloaded the corresponding CRL (certificate revocation list) from here (this is the gtglobal.pem file).

Best Answer

That's my everyday script:

curl --insecure -vvI https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'

Ouput:

* Server certificate:
*    subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*    start date: 2016-01-07 11:34:33 GMT
*    expire date: 2016-04-06 00:00:00 GMT
*    issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*    SSL certificate verify ok.
* Server GFE/2.0 is not blacklisted
* Connection #0 to host www.google.com left intact