Re: Test site for certificate revocation?
@Colin, I can do that. That may be one of the better options. Thanks all. Charles On Wed, 20 Sep 2023 08:22:22 +0100, Colin Paice wrote: >You could try openssl s_server >I use this script on Linux > > >*cert=" -cert ./docec384.pem -certform pem -key docec384.key.pem -keyform >pem" CA="-chainCAfile ./docca256.pem"* >*debug="-trace "* >*port="-port 4433 "* >*openssl s_server $port $cert $CA $debug -www * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Test site for certificate revocation?
You could try openssl s_server I use this script on Linux *cert=" -cert ./docec384.pem -certform pem -key docec384.key.pem -keyform pem" CA="-chainCAfile ./docca256.pem"* *debug="-trace "* *port="-port 4433 "* *openssl s_server $port $cert $CA $debug -www * and a web browser to https://127.0.0.1:4433 You'll have to use your own certificates and specify the ip address. If you need more help,please contact me offline and I'll send you my test certificates and instructions Colin On Wed, 20 Sept 2023 at 01:57, Charles Mills wrote: > Yes, that should work. However I don't have an appropriate test server. > > Yes, I could set one up ... > > Charles > > On Wed, 20 Sep 2023 10:36:30 +1000, Andrew Rowley < > and...@blackhillsoftware.com> wrote: > > >On 20/09/2023 8:37 am, Charles Mills wrote: > >> Does anyone know of a server URL that will present a revoked > certificate (for my testing purposes)? > > > >Can you create a certificate for your own test site with Lets Encrypt, > >then revoke it? > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Test site for certificate revocation?
Yes, that should work. However I don't have an appropriate test server. Yes, I could set one up ... Charles On Wed, 20 Sep 2023 10:36:30 +1000, Andrew Rowley wrote: >On 20/09/2023 8:37 am, Charles Mills wrote: >> Does anyone know of a server URL that will present a revoked certificate >> (for my testing purposes)? > >Can you create a certificate for your own test site with Lets Encrypt, >then revoke it? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Test site for certificate revocation?
On 20/09/2023 8:37 am, Charles Mills wrote: Does anyone know of a server URL that will present a revoked certificate (for my testing purposes)? Can you create a certificate for your own test site with Lets Encrypt, then revoke it? -- Andrew Rowley Black Hill Software -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Test site for certificate revocation?
I'll email... On 9/19/2023 5:23 PM, Charles Mills wrote: Ditto -- my client is running on z/OS, Darren! System SSL and RACF! Seriously, if you have revoked the certificate used by a Web server then a conforming browser should refuse to connect, of at least complain loudly. Can you give me the URL and port? Off-list if you prefer. I will let you know what I see. Charles On Tue, 19 Sep 2023 17:12:04 -0700, Tom Brennan wrote: So I just went to zerossl.com (what I use) and issued a revoke for a cert. Zerossl's web site marks it as revoked. Of course that doesn't affect the use of that cert on the web site, so I basically don't understand what the use of "revoked" might be. If zerossl DID mark the actual certificate file/key, I'll never know because there's no option to download once revoked. And just do Darren doesn't banish me, these are certs running on an x86 Linux box under my desk, but I'm thinking of moving them to a new z16. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Test site for certificate revocation?
Ditto -- my client is running on z/OS, Darren! System SSL and RACF! Seriously, if you have revoked the certificate used by a Web server then a conforming browser should refuse to connect, of at least complain loudly. Can you give me the URL and port? Off-list if you prefer. I will let you know what I see. Charles On Tue, 19 Sep 2023 17:12:04 -0700, Tom Brennan wrote: >So I just went to zerossl.com (what I use) and issued a revoke for a >cert. Zerossl's web site marks it as revoked. Of course that doesn't >affect the use of that cert on the web site, so I basically don't >understand what the use of "revoked" might be. If zerossl DID mark the >actual certificate file/key, I'll never know because there's no option >to download once revoked. > >And just do Darren doesn't banish me, these are certs running on an x86 >Linux box under my desk, but I'm thinking of moving them to a new z16. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Test site for certificate revocation?
I have at least one expired cert on a web site I can use for testing, but that doesn't seem to be what you want. You want something specifically marked as revoked, right? So I just went to zerossl.com (what I use) and issued a revoke for a cert. Zerossl's web site marks it as revoked. Of course that doesn't affect the use of that cert on the web site, so I basically don't understand what the use of "revoked" might be. If zerossl DID mark the actual certificate file/key, I'll never know because there's no option to download once revoked. And just do Darren doesn't banish me, these are certs running on an x86 Linux box under my desk, but I'm thinking of moving them to a new z16. It will have to be the new AGZ rack-mount in order to fit under my desk. On 9/19/2023 3:37 PM, Charles Mills wrote: Does anyone know of a server URL that will present a revoked certificate (for my testing purposes)? There are several that a Google search turns up but - https://revoked.badssl.com/ is expired and expired certificates are never revoked - https://www.digicert.com/kb/digicert-root-certificates.htm has a bunch of revoked test URLs but my client fails on the SNI name, not on revocation. I guess I could add an option to make SNI optional but I would rather not do that. Does anyone have another test site? You should be able to test it with any browser (assuming it is an https site). If you try to open the URL in your browser you should get a "revoked" error. Thanks! Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Test site for certificate revocation?
Does anyone know of a server URL that will present a revoked certificate (for my testing purposes)? There are several that a Google search turns up but - https://revoked.badssl.com/ is expired and expired certificates are never revoked - https://www.digicert.com/kb/digicert-root-certificates.htm has a bunch of revoked test URLs but my client fails on the SNI name, not on revocation. I guess I could add an option to make SNI optional but I would rather not do that. Does anyone have another test site? You should be able to test it with any browser (assuming it is an https site). If you try to open the URL in your browser you should get a "revoked" error. Thanks! Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN