certbot.ocsp

Tools for checking certificate revocation.

class certbot.ocsp.RevocationChecker(enforce_openssl_binary_usage=False)[source]

Bases: object

This class figures out OCSP checking on this system, and performs it.

ocsp_revoked(cert_path, chain_path)[source]

Get revoked status for a particular cert version.

Todo

Make this a non-blocking call

Parameters:
  • cert_path (str) – Path to certificate
  • chain_path (str) – Path to intermediate cert
Returns:

True if revoked; False if valid or the check failed

Return type:

bool

certbot.ocsp._determine_ocsp_server(cert_path)[source]

Extract the OCSP server host from a certificate.

Parameters:cert_path (str) – Path to the cert we’re checking OCSP for
Rtype tuple:
Returns:(OCSP server URL or None, OCSP server host or None)
certbot.ocsp._check_ocsp_response(response_ocsp, request_ocsp, issuer_cert)[source]

Verify that the OCSP is valid for serveral criterias

certbot.ocsp._check_ocsp_response_signature(response_ocsp, issuer_cert)[source]

Verify an OCSP response signature against certificate issuer

certbot.ocsp._translate_ocsp_query(cert_path, ocsp_output, ocsp_errors)[source]

Parse openssl’s weird output to work out what it means.