Consulta en línea de Estado de Certificados OCSP

Validación en línea de estado de Certificados

La Validación en línea permite determinar de forma online el estado actual de cualquier certificado emitido por la CA Subordinada, a través del protocolo OCSP, conforme al estándar [RFC2560], evitando así consultar la última CRL emitida por la CA Subordinada.

Servicio OCSP

El servicio OCSP procesa las peticiones enviadas, sobre HTTP, por las aplicaciones y los servicios que consultan por OCSP el estado de revocación de certificados emitidos por la CA Subordinada (por ejemplo, para verificar firmas o para incorporar las respuestas OCSP en firmas), enviando las correspondientes respuestas OCSP que contienen los correspondientes estados de revocación de los certificados solicitados, conforme al estándar [RFC2560].

URI de acceso al servicio OCSP

La URL HTTP de acceso al servicio OCSP  será igual al valor siguiente:

http://ocsp1.uanataca.com/public/pki/ocsp/

http://ocsp2.uanataca.com/public/pki/ocsp/

Validación OCSP mediante OPENSSL

El siguiente es un comando de ejemplo ejecutado utilizando OPENSSL, aquí se muestra como validar un certificado por línea de comandos:

openssl ocsp -issuer EclipsoftCASUB.cer -serial 0X8053ED40025B7D -url http://ocsp1.uanataca.com/public/pki/ocsp/ -text

Donde se coloque el número de serie y el certificado de la CA subordinada para poder obtener respuesta similar a esta:

openssl ocsp -issuer EclipsoftCASUB.cer -serial 0X8053ED40025B7D -url http://ocsp1.uanataca.com/public/pki/ocsp/ -text  

OCSP Request Data:

    Version: 1 (0x0)

    Requestor List:

        Certificate ID:

          Hash Algorithm: sha1

          Issuer Name Hash: CA5607581C8DDBB31323E331CFB4917641BCA886

          Issuer Key Hash: 2D71EFB0637FF5FDE08322447F441030814F4DE5

          Serial Number: 8053ED40025B7D

    Request Extensions:

        OCSP Nonce: 

            0410483EE28F1CD6E48AC1BE3CA3DD2F62F9

OCSP Response Data:

    OCSP Response Status: successful (0x0)

    Response Type: Basic OCSP Response

    Version: 1 (0x0)

    Responder Id: C = ES, L = Barcelona (see current address at  www.uanataca.com/address), O = UANATACA S.A., OU = TSP-UANATACA, CN = OCSP de UANATACA - OCSP01

    Produced At: Jun 23 20:10:32 2022 GMT

    Responses:

    Certificate ID:

      Hash Algorithm: sha1

      Issuer Name Hash: CA5607581C8DDBB31323E331CFB4917641BCA886

      Issuer Key Hash: 2D71EFB0637FF5FDE08322447F441030814F4DE5

      Serial Number: 8053ED40025B7D

    Cert Status: revoked

    Revocation Time: Jan 31 08:24:21 2022 GMT

    This Update: Jun 23 19:50:32 2022 GMT

    Next Update: Jun 23 20:30:32 2022 GMT

        Response Single Extensions:

            OCSP Archive Cutoff: 

                Dec  3 00:00:00 2009 GMT

    Response Extensions:

        OCSP Nonce: 

            0410483EE28F1CD6E48AC1BE3CA3DD2F62F9

    Signature Algorithm: sha256WithRSAEncryption

         8a:80:e7:29:8f:89:74:36:eb:b7:5e:41:96:e7:56:2f:06:c5:

         68:b6:60:62:41:f2:48:77:2d:78:b2:22:a2:3e:cb:a3:f6:38:

         10:32:a7:73:31:5a:7a:de:00:be:10:96:4b:e2:47:3b:a8:c8:

         ad:3b:13:04:f2:c3:31:9f:0d:a3:a2:aa:94:94:97:e9:ba:44:

         3b:d1:c6:a0:bb:d6:8b:0b:ac:1a:15:18:8f:d5:03:d5:07:a1:

         30:86:53:90:36:ae:04:10:4e:c3:b1:5e:5f:2d:8e:98:ef:30:

         50:da:64:44:2d:87:b3:5d:48:a9:bf:f1:83:7b:45:14:9c:72:

         9d:a9:99:86:36:fb:0f:ff:59:80:00:86:29:0f:8d:14:c9:f7:

         ba:46:d6:dd:1a:09:3e:ce:b7:1f:a1:37:29:2e:18:e9:d5:a9:

         52:b2:c9:a7:2f:4e:98:7c:96:58:1d:d7:f9:fe:25:91:6b:b4:

         5c:a2:59:2d:12:ce:a3:e1:a4:28:b4:96:2e:17:43:8a:7b:22:

         05:29:c1:01:b4:de:72:be:08:5e:8d:51:24:16:b6:c2:f8:fa:

         ad:fc:c4:f8:85:e5:8b:84:05:65:3c:6d:ed:cf:01:fa:64:66:

         4a:0c:05:f1:b0:1c:53:5d:66:90:1a:62:33:8e:bc:de:3a:b8:

         b3:f2:45:67

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 8492606829297758341 (0x75dbccea5d597085)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=ES, L=Barcelona (see current address at www.uanataca.com/address), O=UANATACA S.A., OU=TSP-UANATACA, CN=UANATACA CA1 2016/2.5.4.97=VATES-A66721499

        Validity

            Not Before: Mar  8 11:38:22 2021 GMT

            Not After : Mar  8 11:38:22 2023 GMT

        Subject: C=ES, L=Barcelona (see current address at  www.uanataca.com/address), O=UANATACA S.A., OU=TSP-UANATACA, CN=OCSP de UANATACA - OCSP01

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:a2:0c:e9:40:f6:a4:c7:25:55:93:6e:54:58:ac:

                    3b:a7:f4:99:df:c4:86:2f:90:a1:a8:d9:18:3a:1c:

                    a2:74:26:84:ed:cc:5b:4e:7a:d5:fc:d0:f3:7f:19:

                    74:97:03:bf:89:de:4b:65:da:7b:1b:2a:e8:f9:6a:

                    ad:55:12:b7:c6:ec:51:ea:5d:d9:ab:f9:e3:ff:c9:

                    d4:83:8c:1e:4e:c6:1c:4e:8b:ed:28:f8:f6:11:fe:

                    17:6e:87:b3:45:25:f2:a8:8d:dd:c8:28:86:b3:09:

                    af:03:41:7e:b9:3e:5e:f3:94:99:25:0b:93:46:2b:

                    47:56:a7:cb:95:2f:3c:fd:d7:31:e8:a4:db:c7:31:

                    e2:6b:f2:bc:5b:a9:a2:a1:1d:16:dd:a3:3d:d2:80:

                    2a:3b:1c:5b:5f:f5:18:37:9d:53:56:8e:4a:5f:23:

                    0a:76:82:98:b1:6b:9e:f1:0d:e6:e8:15:37:6d:dc:

                    33:b2:76:9c:f7:b7:ea:ba:bf:dc:e9:b1:16:9d:72:

                    d5:84:14:95:6a:e5:52:81:94:46:90:1a:6b:9f:0c:

                    c7:d0:35:d4:ef:07:9f:c8:bc:0f:59:19:58:64:aa:

                    34:b7:34:71:b9:88:65:22:4f:e4:ce:30:d2:db:8c:

                    d6:28:f6:61:64:61:f2:8c:8c:69:fa:e5:ed:a7:03:

                    92:53

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            Authority Information Access: 

                CA Issuers - URI:http://www.uanataca.com/public/download/tsp_certificates/trustedRoot.p7c

            X509v3 Subject Key Identifier: 

                56:FE:BB:3A:DA:47:F7:5D:CE:BD:25:04:E6:97:18:24:A9:CD:9F:CA

            X509v3 Basic Constraints: critical

                CA:FALSE

            X509v3 Authority Key Identifier: 

                keyid:2D:71:EF:B0:63:7F:F5:FD:E0:83:22:44:7F:44:10:30:81:4F:4D:E5

            OCSP No Check: 

            qcStatements: 

                0705.....F...+http://www.uanataca.com/public/pki/OCSP-DS/ 

            X509v3 Certificate Policies: 

                Policy: 1.3.6.1.4.1.47286.1.6

                  CPS:http://www.uanataca.com/public/pki/dpc/

                  User Notice:

                    Explicit Text: Certificado OCSP de UANATACA. Ver http://www.uanataca.com/public/pki/dpc/

            X509v3 CRL Distribution Points: 

                Full Name:

                  URI:http://crl1.uanataca.com/public/pki/crl/CA1subordinada.crl 

                Full Name:

                  URI:http://crl2.uanataca.com/public/pki/crl/CA1subordinada.crl 

            X509v3 Key Usage: critical

                Digital Signature, Non Repudiation

            X509v3 Extended Key Usage: critical

                OCSP Signing

            X509v3 Subject Alternative Name: 

                email:info@uanataca.com

    Signature Algorithm: sha256WithRSAEncryption

         b0:4d:92:71:97:24:0f:a5:fc:2c:ce:ed:7d:b0:1f:5e:9f:17:

         db:6d:97:9a:df:40:74:bc:2f:20:cb:a0:57:99:63:de:52:81:

         71:8e:61:03:58:82:13:7f:67:9e:01:33:2c:a6:8e:e6:a5:32:

         de:bc:d4:88:7c:3e:2a:cf:c6:ca:89:c2:67:b0:fe:77:12:d1:

         cb:cb:0c:cd:01:cb:af:90:4c:26:60:43:fe:1a:5b:c5:46:0d:

         46:2d:94:55:ca:0e:07:dd:36:cd:93:e9:3e:a9:7d:f1:c5:05:

         44:46:5d:e6:f3:6b:78:1c:12:7c:44:31:90:fa:9e:ef:3c:fe:

         36:63:b2:e3:06:20:1d:05:59:43:53:c6:77:2a:45:4e:14:00:

         99:52:e8:9d:59:cd:88:f2:4e:3b:c8:18:2f:0c:63:ad:0b:c8:

         a3:e4:2f:e7:ff:c5:fd:cb:5f:34:59:fa:76:9c:7f:78:8a:b0:

         18:0f:04:a1:93:5c:61:30:86:c1:d6:16:82:f2:1c:ce:b2:88:

         6d:e3:4b:b6:a1:37:16:fb:0f:9d:1c:a5:60:0e:b7:84:75:1a:

         d7:b2:ff:97:d7:ff:ca:08:3a:2a:e0:b0:35:94:a9:18:b8:d4:

         42:b3:ac:b9:6d:e1:44:23:0d:4a:d0:c3:39:f2:fe:64:83:fa:

         85:8d:b8:2c:26:0a:94:d5:fb:3a:e1:75:84:30:44:ba:6a:8f:

         57:6a:67:a5:03:26:b8:3f:7b:ef:4a:f6:de:d8:e1:70:7f:9e:

         0b:2f:52:a8:f0:b3:af:58:20:58:f3:79:26:ab:73:39:b6:d1:

         e3:b3:51:84:68:cc:b2:48:60:85:73:f5:e1:9e:b1:40:61:ac:

         41:a8:9f:58:e3:90:73:88:7d:57:9d:ac:d2:b9:64:ec:f6:5d:

         d9:1d:96:bb:3b:eb:a3:b9:b6:4a:c4:f5:a2:d1:eb:f6:d5:f9:

         95:d0:7d:b4:25:b1:60:f9:76:4b:94:71:b9:2d:ff:27:7a:01:

         09:0b:9a:a7:41:a8:9e:c1:65:81:3b:93:42:3f:7e:f9:ca:ec:

         3d:f6:60:37:88:63:8b:58:1d:4c:9b:e6:00:e6:9f:f1:be:d2:

         3e:13:69:d1:ab:f9:a3:36:0f:d6:a7:a4:c1:01:ef:d3:41:59:

         9e:bc:7f:53:17:a3:ce:12:62:87:c3:7d:d2:c2:61:b5:d8:7f:

         91:43:ab:23:b8:82:36:a7:72:4e:85:77:f8:58:7b:58:d2:9c:

         db:b8:a2:cf:79:99:5a:eb:2a:65:20:4b:4b:4d:4a:8c:57:9a:

         3c:a1:ba:e0:f7:d2:ee:24:68:90:6f:5f:3d:7d:ee:75:6d:fc:

         86:e3:a3:5d:f5:3b:e7:53

-----BEGIN CERTIFICATE-----

MIIHezCCBWOgAwIBAgIIddvM6l1ZcIUwDQYJKoZIhvcNAQELBQAwgbgxCzAJBgNV

BAYTAkVTMUQwQgYDVQQHDDtCYXJjZWxvbmEgKHNlZSBjdXJyZW50IGFkZHJlc3Mg

YXQgd3d3LnVhbmF0YWNhLmNvbS9hZGRyZXNzKTEWMBQGA1UECgwNVUFOQVRBQ0Eg

Uy5BLjEVMBMGA1UECwwMVFNQLVVBTkFUQUNBMRowGAYDVQQDDBFVQU5BVEFDQSBD

QTEgMjAxNjEYMBYGA1UEYQwPVkFURVMtQTY2NzIxNDk5MB4XDTIxMDMwODExMzgy

MloXDTIzMDMwODExMzgyMlowgacxCzAJBgNVBAYTAkVTMUUwQwYDVQQHDDxCYXJj

ZWxvbmEgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgIHd3dy51YW5hdGFjYS5jb20v

YWRkcmVzcykxFjAUBgNVBAoMDVVBTkFUQUNBIFMuQS4xFTATBgNVBAsMDFRTUC1V

QU5BVEFDQTEiMCAGA1UEAwwZT0NTUCBkZSBVQU5BVEFDQSAtIE9DU1AwMTCCASIw

DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKIM6UD2pMclVZNuVFisO6f0md/E

hi+QoajZGDoconQmhO3MW0561fzQ838ZdJcDv4neS2Xaexsq6PlqrVUSt8bsUepd

2av54//J1IOMHk7GHE6L7Sj49hH+F26Hs0Ul8qiN3cgohrMJrwNBfrk+XvOUmSUL

k0YrR1any5UvPP3XMeik28cx4mvyvFupoqEdFt2jPdKAKjscW1/1GDedU1aOSl8j

CnaCmLFrnvEN5ugVN23cM7J2nPe36rq/3OmxFp1y1YQUlWrlUoGURpAaa58Mx9A1

1O8Hn8i8D1kZWGSqNLc0cbmIZSJP5M4w0tuM1ij2YWRh8oyMafrl7acDklMCAwEA

AaOCApYwggKSMGQGCCsGAQUFBwEBBFgwVjBUBggrBgEFBQcwAoZIaHR0cDovL3d3

dy51YW5hdGFjYS5jb20vcHVibGljL2Rvd25sb2FkL3RzcF9jZXJ0aWZpY2F0ZXMv

dHJ1c3RlZFJvb3QucDdjMB0GA1UdDgQWBBRW/rs62kf3Xc69JQTmlxgkqc2fyjAM

BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFC1x77Bjf/X94IMiRH9EEDCBT03lMA8G

CSsGAQUFBzABBQQCBQAwRQYIKwYBBQUHAQMEOTA3MDUGBgQAjkYBBQwraHR0cDov

L3d3dy51YW5hdGFjYS5jb20vcHVibGljL3BraS9PQ1NQLURTLzCBqwYDVR0gBIGj

MIGgMIGdBgorBgEEAYLxNgEGMIGOMDMGCCsGAQUFBwIBFidodHRwOi8vd3d3LnVh

bmF0YWNhLmNvbS9wdWJsaWMvcGtpL2RwYy8wVwYIKwYBBQUHAgIwSwxJQ2VydGlm

aWNhZG8gT0NTUCBkZSBVQU5BVEFDQS4gVmVyIGh0dHA6Ly93d3cudWFuYXRhY2Eu

Y29tL3B1YmxpYy9wa2kvZHBjLzCBjwYDVR0fBIGHMIGEMECgPqA8hjpodHRwOi8v

Y3JsMS51YW5hdGFjYS5jb20vcHVibGljL3BraS9jcmwvQ0Exc3Vib3JkaW5hZGEu

Y3JsMECgPqA8hjpodHRwOi8vY3JsMi51YW5hdGFjYS5jb20vcHVibGljL3BraS9j

cmwvQ0Exc3Vib3JkaW5hZGEuY3JsMA4GA1UdDwEB/wQEAwIGwDAWBgNVHSUBAf8E

DDAKBggrBgEFBQcDCTAcBgNVHREEFTATgRFpbmZvQHVhbmF0YWNhLmNvbTANBgkq

hkiG9w0BAQsFAAOCAgEAsE2ScZckD6X8LM7tfbAfXp8X222Xmt9AdLwvIMugV5lj

3lKBcY5hA1iCE39nngEzLKaO5qUy3rzUiHw+Ks/GyonCZ7D+dxLRy8sMzQHLr5BM

JmBD/hpbxUYNRi2UVcoOB902zZPpPql98cUFREZd5vNreBwSfEQxkPqe7zz+NmOy

4wYgHQVZQ1PGdypFThQAmVLonVnNiPJOO8gYLwxjrQvIo+Qv5//F/ctfNFn6dpx/

eIqwGA8EoZNcYTCGwdYWgvIczrKIbeNLtqE3FvsPnRylYA63hHUa17L/l9f/ygg6

KuCwNZSpGLjUQrOsuW3hRCMNStDDOfL+ZIP6hY24LCYKlNX7OuF1hDBEumqPV2pn

pQMmuD9770r23tjhcH+eCy9SqPCzr1ggWPN5JqtzObbR47NRhGjMskhghXP14Z6x

QGGsQaifWOOQc4h9V52s0rlk7PZd2R2Wuzvro7m2SsT1otHr9tX5ldB9tCWxYPl2

S5RxuS3/J3oBCQuap0GonsFlgTuTQj9++crsPfZgN4hji1gdTJvmAOaf8b7SPhNp

0av5ozYP1qekwQHv00FZnrx/UxejzhJih8N90sJhtdh/kUOrI7iCNqdyToV3+Fh7

WNKc27iiz3mZWusqZSBLS01KjFeaPKG64PfS7iRokG9fPX3udW38huOjXfU751M=

-----END CERTIFICATE-----

Response Verify Failure

4470744748:error:27FFF065:OCSP routines:CRYPTO_internal:certificate verify error:/AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/ocsp/ocsp_vfy.c:141:Verify error:unable to get local issuer certificate

0X8053ED40025B7D: revoked

    This Update: Jun 23 19:50:32 2022 GMT

    Next Update: Jun 23 20:30:32 2022 GMT

    Revocation Time: Jan 31 08:24:21 2022 GMT