software.sslmate.com/src/ocsputil is a Go package that provides convenience functions for OCSP checking. It’s mostly a wrapper around
ocsputil.Evaluate function evaluates the reliability of a certificate’s OCSP responder, and is used by OCSP Watch.
evalocsp is a command line tool that evaluates the reliability of a certificate’s OCSP responder using
Install it with:
go install software.sslmate.com/src/ocsputil/cmd/[email protected]
Input (on stdin): Two PEM-encoded certificates – the certificate whose OCSP responder should be evaluated, followed by its issuer. The first certificate may be a precertificate, but if it’s signed by a dedicated precert signing CA, then the second certificate must be the issuer of the final certificate rather than the precertificate.
Output (on stdout): A JSON object with the following fields:
||The URL of the OCSP responder.|
||The bytes of the OCSP request, as a base64-encoded string.|
||The bytes of the OCSP response, as a base64-encoded string.|
||The length of time which the OCSP responder took to respond, formatted as a
null, then the other fields are non-null. If
error is non-null, then any of the other fields may be
null depending on the nature of the error.
Go 1.18 Bug
Go 1.18 accidentally banned SHA-1-signed OCSP responses, which can still be found in the WebPKI. To work around this, use Go 1.17, or set the environment variable
GODEBUG=x509sha1=1. This bug will be fixed in Go 1.18.1.