`certbot.ocsp`¶

Tools for checking certificate revocation.

class certbot.ocsp.RevocationChecker(enforce_openssl_binary_usage=False)[source]¶

Bases: object

This class figures out OCSP checking on this system, and performs it.

ocsp_revoked(cert_path, chain_path)[source]¶

Get revoked status for a particular cert version.

Todo

Make this a non-blocking call

Parameters:	cert_path (str) – Path to certificate chain_path (str) – Path to intermediate cert
Returns:	True if revoked; False if valid or the check failed
Return type:	bool

certbot.ocsp._determine_ocsp_server(cert_path)[source]¶

Extract the OCSP server host from a certificate.

Parameters:	cert_path (str) – Path to the cert we’re checking OCSP for
Rtype tuple:
Returns:	(OCSP server URL or None, OCSP server host or None)

certbot.ocsp._check_ocsp_response(response_ocsp, request_ocsp, issuer_cert, cert_path)[source]¶: Verify that the OCSP is valid for serveral criterias

certbot.ocsp._check_ocsp_response_signature(response_ocsp, issuer_cert, cert_path)[source]¶: Verify an OCSP response signature against certificate issuer or responder

certbot.ocsp._translate_ocsp_query(cert_path, ocsp_output, ocsp_errors)[source]¶: Parse openssl’s weird output to work out what it means.

certbot.ocsp¶