To check if the certificate for google.com has been revoked, I tried the following command:
curl https://www.google.com --cacert GeoTrust_Global_CA.pem --crlfile gtglobal.pem -v
, but I got the dreaded "SSL certificate problem" error:
* About to connect() to www.google.com port 443 (#0)
* Trying 81.24.29.91... connected
* successfully set certificate verify locations:
* CAfile: GeoTrust_Global_CA.pem
CApath: /etc/ssl/certs
* successfully load CRL file:
* CRLfile: gtglobal.pem
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
I guess this error is not correct, since Google should have a valid certificate.
Do you know how I could issue a curl command that does this correctly?
More details
If you're wondering why I used those specific files (GeoTrust_Global_CA.pem and gtglobal.pem) in the curl command, this is how I proceeded:
- I first looked at what CA issued the certificate for https://www.google.com. Turns out it is GeoTrust Global CA;
- I downloaded the GeoTrust Global CA root certificate from here (this is the GeoTrust_Global_CA.pem file);
- I downloaded the corresponding CRL (certificate revocation list) from here (this is the gtglobal.pem file).
Best Answer
That's my everyday script:
Ouput: