Because nobody has this documented it seems:

If you want to verify that your server is doing OCSP stapling, OpenSSL has you covered. Just run it like this:

$ openssl s_client -status -connect mail.startmail.com:443
CONNECTED(00000006)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = startmail.com
verify return:1
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Apr 26 13:21:00 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03D8BD08D6B2BDD5EDB614264A625DC613D0
    Cert Status: good
    This Update: Apr 26 13:00:00 2020 GMT
    Next Update: May  3 13:00:00 2020 GMT
[...]

And that’s it. You just need to add -status to get this output.


Published

Category

tricks

Tags