This is now the second time within probably six months I have checked on a website certificate because an end user is getting an SSL revocation block from our antivirus software. I am running into the same frustration as I did the first time I had this happen. I checked various SSL checkers and some are saying the SSL is revoked and others are saying it's fine.

I go to the source of the certificate in question (Sectigo) in this case https://www.sectigostore.com/ssl-tools/ssl-checker.php and it shows the URL I am checking on in this case is just fine: https://kern.facilitysoft.org.

All the Chromium based browsers show that it's fine. Firefox seems to know better. Same in the first time I did this. Firefox was the browser that reliably told me the certificate was revoked.

Thanks to GPT I was able to use openssl on the cli in both cases to check the source for the revocation status. And sure enough, Sectigo's OCSP is telling me it was revoked on the 3rd.

I reached out to Sectigo support (I am not even a customer) and they sent me to another site https://www.sslshopper.com/ssl-checker.html?hostname=+kern.facilitysoft.org+ as proof that it was good.

Here is another checker that confirms it's revoked: https://www.ssllabs.com/ssltest/analyze.html?d=kern.facilitysoft.org&latest.

I also ran the following commands to verify myself direct from the source:

wget 

openssl x509 -inform DER -in SectigoRSADomainValidationSecureServerCA.crt -out issuer_cert.pem -outform PEMhttp://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt

I exported the certificate chain to the Base64 PEM chain file from the browser.

openssl ocsp -issuer issuer_cert.pem -cert kern.facilitysoft.org.pem -url 

WARNING: no nonce in response
Response verify OK
kern.facilitysoft.org.pem: revoked
This Update: Dec  8 00:29:44 2024 GMT
Next Update: Dec 15 00:29:43 2024 GMT
Revocation Time: Dec  3 22:18:42 2024 GMThttp://ocsp.sectigo.com

Sure enough it gives me the exact date and time the certificate was revoked.

I followed the same steps for a sister site they have as a sanity check. I had to also export the certificate as a Base64 PEM chain file first just like on the other site above.

openssl ocsp -issuer issuer_cert.pem -cert losrios.facilitysoft.org.pem  -url 

WARNING: no nonce in response
Response verify OK
losrios.facilitysoft.org.pem: good
This Update: Dec  8 12:09:55 2024 GMT
Next Update: Dec 15 12:09:54 2024 GMThttp://ocsp.sectigo.com

And sure enough, no revocation on the sanity check site.

This is just like the first time I ran across this. Luckily in the first case I was able to find out how to contact the IT for the site and after arguing with them they submitted a ticket and fixed it about 24 hours later once I was able to prove they were using a revoked certificate.

In this case I cannot figure out how to contact them. I could ask my end user if they have more information, but I am almost certain that won't fly in this case. I am probably just going to make an exception in our AV policy for this site.

Am I completely misunderstanding the situation or do I have legitimate reason to question the validity of the whole SSL structure in the first place? This doesn't make sense to me. It seems to void the whole purpose in my mind and shows me it cannot be trusted.

The certificate was revoked. How can I trust this whole SSL system if this is the second time I am running into this issue from a different issuer and getting unreliable results.

I am asking because I really want to know if I am missing something here.