Following the Heartbleed vulnerability disclosure, CAs revoked and reissued millions of certificates. If you've replaced your certificates but still have the old .crt files, you'll want to verify their revocation status to ensure security.
For certificates where you only have the .crt file, use OpenSSL to check both CRL and OCSP:
openssl x509 -in old_certificate.crt -noout -serial
This extracts the serial number needed for verification. Then check against CRL:
openssl crl -in CA_CRL.crl -noout -text | grep SERIAL_NUMBER
For real-time verification without downloading CRLs:
openssl ocsp -issuer intermediate.pem -cert old_certificate.crt \ -text -url http://ocsp.example.com
Here's a Python script using cryptography.io to check revocation:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
with open("old_certificate.crt", "rb") as f:
cert = x509.load_pem_x509_certificate(f.read(), default_backend())
# Check OCSP
builder = x509.ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert, cert, cert.signature_hash_algorithm)
request = builder.build()
# Send request to OCSP responder...
If your old certificates don't appear revoked:
- Contact your CA's support with the certificate serial
- Provide proof of reissuance if required
- Request explicit revocation with reason code "keyCompromise"
For server farms, consider these approaches:
- CRL polling with cron jobs
- OCSP stapling configuration
- Certificate transparency log monitoring
Following the Heartbleed vulnerability disclosure, CAs revoked and reissued millions of certificates. The critical operational question becomes: how can developers verify if their old certificates properly appear in revocation lists? Let's examine technical methods to validate this.
For servers where you still have configuration access:
openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | \ openssl x509 -noout -text | grep -A 1 "CRL Distribution Points"
This reveals the CRL distribution URL. To fetch and parse the CRL:
curl [CRL_URL] | openssl crl -inform DER -noout -text | grep "Serial Number: [YOUR_CERT_SERIAL]"
When you only have certificate files (.crt):
openssl ocsp -issuer issuer.crt -cert old_cert.crt \ -text -url http://ocsp.example.com -header "Host" "ocsp.example.com"
Sample response interpretation:
Response verify OK
old_cert.crt: revoked
This Update: Jun 15 12:00:00 2024 GMT
Revocation Time: May 1 09:30:00 2024 GMT
For monitoring multiple certificates programmatically:
import ssl
from cryptography import x509
from cryptography.hazmat.backends import default_backend
def check_revocation(cert_path):
with open(cert_path, "rb") as f:
cert = x509.load_pem_x509_certificate(f.read(), default_backend())
crl_dp = cert.extensions.get_extension_for_class(
x509.CRLDistributionPoints).value
print(f"CRL URLs: {[url.value for url in crl_dp[0].full_name]}")
try:
ocsp = cert.extensions.get_extension_for_class(
x509.AuthorityInformationAccess).value
ocsp_urls = [d.access_location.value for d in ocsp
if d.access_method == x509.oid.AuthorityInformationAccessOID.OCSP]
print(f"OCSP URLs: {ocsp_urls}")
except x509.ExtensionNotFound:
print("No OCSP extension found")
If your old certificates don't appear in revocation lists:
- Contact your CA's support with certificate serial numbers
- Provide the certificate fingerprints (SHA-1 and SHA-256)
- Reference the Heartbleed vulnerability timeline
- Request explicit revocation via their ticketing system
Check certificate status in public CT logs:
https://crt.sh/?serial=[YOUR_CERT_SERIAL_HEX] https://transparencyreport.google.com/https/certificates