OCSP - FNMT Testing

FNMT

Certificate Autority: https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt

In this case I just need the following CA: Certificados AC Raíz de la FNMT

• AC Raíz FNMT-RCM
• AC FNMT Usuarios
• AC Representación
• AC Administración Pública
• AC Componentes Informáticos

OCSP service

There are three OCSP services (not for Componentes Informáticos):

• AC Usuarios: http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder
• AC Representación: http://ocsprep.cert.fnmt.es/ocsprep/OcspResponder
• AC Administración Pública: http://ocspap.cert.fnmt.es/ocspap/OcspResponder 
• AC Componentes Informáticos: http://ocspcomp.cert.fnmt.es/ocsp/OcspResponder

Service Testing

Test certificate kit from Junta de Andalucía: https://ws024.juntadeandalucia.es/ae/newsletter/actualizaciondelkitdecertificadosdepruebaalaversion912

Install openssl:

# yum install libtool perl-core zlib-devel

Params:

• ocsp
• issuer. Testing certificate's CA in PEM format
• seriel. Testing certificate's serial number
• CAfile: issuer's CA in PEM format (the CA of the CA of the certificate :))
• url: OSCP url

# openssl ocsp -issuer AC_FNMT_Usuarios.pem -serial 0x1b38186910f9667c5821ca627f360420 -url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -CAfile AC_Raiz_FNMT-RCM_SHA256.pem
Response verify OK
0x1b38186910f9667c5821ca627f360420: revoked
        This Update: Jun 29 11:15:50 2019 GMT
        Next Update: Jun 29 12:15:50 2019 GMT
        Reason: cessationOfOperation
        Revocation Time: Nov  8 12:53:48 2016 GMT

# openssl ocsp -issuer AC_Administracion_Publica_SHA256.pem -serial 0x433d6899af0072375829d42560d7e733 -url http://ocspap.cert.fnmt.es/ocspap/OcspResponder  -CAfile AC_Raiz_FNMT-RCM_SHA256.pem
Response verify OK
0x433d6899af0072375829d42560d7e733: good
        This Update: Jun 29 11:21:23 2019 GMT
        Next Update: Jun 29 12:21:23 2019 GMT

Note: Here you can check OCSP service status of Camerfirma: https://www.camerfirma.com/ayuda/servicios/