Check Revocation lists for CA roots

This script is a work in progress, ie. not finished! Currently it will list the URI where a revocation list for a CA root can be found, no attempt is currently made to get that list or compare an issued certificate against it.

[user@app01 cacert-stuff]$ more revocationcheck.sh
#!/bin/bash
#written Andrew Stringer 08/11/2011

#This checks if the certs in a directory have a CRL associated with them.

TMP1=/tmp/CRLtmp1-$$
CRLCERTS=/tmp/crlcerts-$$.txt
NOCRLCERTS=/tmp/nocrlcerts-$$.txt

CAROOTDIR=/home/user/scripts/cacert-stuff/root-certs
OPENSSL=/usr/bin/openssl

#example entry for each root ca
# X509v3 CRL Distribution Points:
# URI:http://crl.verisign.com/pca3-g5.crl

# X509v3 CRL Distribution Points:
# URI:http://crl.verisign.com/pca3.crl

# X509v3 CRL Distribution Points:
# URI:http://crl.comodoca.com/AddTrustExternalCARoot.crl
# URI:http://crl.comodo.net/AddTrustExternalCARoot.crl

# X509v3 CRL Distribution Points:
# URI:http://crl.usertrust.com/UTN-USERFirst-Hardware.crl

#for CERT in `ls -1 root-certs/v*` ; do echo $CERT; openssl x509  -text  -in $CERT | grep  "X509v3 CRL Distribution Points"; echo
#"+++++++++++++++++++++++++++++++++++++"; done

echo "CRL certs list" > ${CRLCERTS}
echo "==============" >> ${CRLCERTS}
echo "No CRL certs list" > ${NOCRLCERTS}
echo "=================" >> ${NOCRLCERTS}

# openssl x509 -in root-certs/comodohigh-assurancesecureserverca.cer -text  | grep -A 1 "X509v3 CRL Distribution Points:" | grep "URI:"


for CERT in `ls -1 ${CAROOTDIR}/*`
do
        openssl x509  -text  -in ${CERT} > ${TMP1} 2>&1
        if [ "`cat ${TMP1} | grep "X509v3 CRL Distribution Points"`" ]
        then
                #echo "Cert ${CERT} contains a CRL URL"

                echo `basename ${CERT}` >> ${CRLCERTS}
                cat ${TMP1} | grep -A 2 "X509v3 CRL Distribution Points:" | grep "URI:http" >> ${CRLCERTS}
                echo "" >> ${CRLCERTS}

        else

                #echo "Cert ${CERT} does not contain any CRL URL's"
                echo `basename ${CERT}` >> ${NOCRLCERTS}
                #echo "" >> ${NOCRLCERTS}
        fi

done

cat ${CRLCERTS}
echo "=============="
echo "Total Certs `cat ${CRLCERTS} | grep ".cer$" | wc -l`"
echo "=============="

echo " "
cat ${NOCRLCERTS}
echo "=============="
echo "Total Certs `cat ${NOCRLCERTS} | wc -l`"
echo "=============="


#clear up mess
rm ${TMP1}
rm ${CRLCERTS}
rm ${NOCRLCERTS}

exit 0
[user@app01 cacert-stuff]$

Sample output:-

[user@app01 cacert-stuff]$ ./revocationcheck.sh
CRL certs list
==============
cacert.org.cer
            URI:https://www.cacert.org/revoke.crl

comodo_cyberslotz.cer
            URI:http://crl.comodoca.com/UTN-DATACorpSGC.crl
            URI:http://crl.comodo.net/UTN-DATACorpSGC.crl

comodohigh-assurancesecureserverca.cer
            URI:http://crl.usertrust.com/AddTrustExternalCARoot.crl
....edited....
==============
Total Certs 19
==============

No CRL certs list
=================
addtrustexternalcaroot.cer
AddTrustExternalCARoot.crt
AddTrustSwedenRootCA.crt
baltimorecodesigningca.cer
baltimorecybertrustca.cer
....edited....
verisignserverca.cer
ws-client.cer
wwca.cer
==============
Total Certs 44
==============
[user@app01 cacert-stuff]$

rb/revocationlistcheck.txt · Last modified: 10/10/2013 15:21 (external edit)