Tools for checking certificate revocation.

class certbot.ocsp.RevocationChecker(enforce_openssl_binary_usage=False)[source]

Bases: object

This class figures out OCSP checking on this system, and performs it.


Get revoked status for a particular cert version.


Make this a non-blocking call

Parameters:cert (storage.RenewableCert) – Certificate object
Returns:True if revoked; False if valid or the check failed or cert is expired.
Return type:bool

Extract the OCSP server host from a certificate.

Parameters:cert_path (str) – Path to the cert we’re checking OCSP for
Rtype tuple:
Returns:(OCSP server URL or None, OCSP server host or None)
certbot.ocsp._check_ocsp_response(response_ocsp, request_ocsp, issuer_cert, cert_path)[source]

Verify that the OCSP is valid for serveral criterias

certbot.ocsp._check_ocsp_response_signature(response_ocsp, issuer_cert, cert_path)[source]

Verify an OCSP response signature against certificate issuer or responder

certbot.ocsp._translate_ocsp_query(cert_path, ocsp_output, ocsp_errors)[source]

Parse openssl’s weird output to work out what it means.