Detecting Revoked SSL Certificate
 

I am presently using the application ssl-cert-check (http://prefetch.net/articles/checkcertificate.html) to detect if any of my Apache SSL certificates are expired. I have it set up as a cron job to check the SSL certificates on a list of web sites.

This script will only let me know if if my certificate is expired. I am now looking for a script that will take in a list of web sites and inform me if any of their SSL certificates have been revoked. Newer browsers (Firefox 3.x and IE 7.x) check web site SSL certificates to see whether or not they have been revoked before it starts to load the site.

I work in a large organization where someone else manages the SSL certificates that I use. They have accidentally revoked some of my certificates in the past and have caused issues with users who have newer browsers. Hence, proactively checking my SSL certificates to see if they have been revoked is important to me.

Please let me know if you know of a way to do this.

Thanks very much!

Update your certificate revocation list regularly from the public CAs and any other CAs you may use. You probably want a single machine to do this, and all your other computers can update from that machine. Hmm ... perhaps the SSL/TLS libraries need an option to check for revocation from the CA before proceeding. At the moment I am only aware of checking against a local revocation list.

An SSL diagnostic tool
 

dslehman, a tool that may help with monitoring SSL certificates is a web-based one that I use for certs but also monitoring sites in general. Basically its a diagnostic http/https tool with alert capability to monitor SSL certificates, expiration dates, etc. Its free so may be worth checking out - virtualsecrets.com/siteBotAuditor.html

You can also use the openssl verify command in a shell script to check if certifiates have expired and lots more.