Problem

OCSP requests and OCSP responses are present in log files as base64 blobs and it is not clear how to decode them, particularly on machines that are unable to download tools from the internet.

Resolution

The OCSP traffic has two layers of encoding: the outer layer is base64 encoding and the inner layer is ASN.1 decoding. The OpenSSL command line tool ships with most VA-family products and can decode that into a human-readable format with a few commands. The examples assume that OpenSSL is on your path. Otherwise you may have to run the commands from the directory containing the OpenSSL command line tool and reference all the files via their full path.

First, save the base64 blob from the logs into a file which I will call base64.txt in the examples below, then decode it into a binary ASN.1 encoded file named ocsp.bin like so:

openssl enc -d -A -base64 -in base64.txt -out ocsp.bin

Next, decode the OCSP request or response. There's a different command depending on which of the two you have:

OCSP Request:

openssl ocsp -reqin ocsp.bin -text -noverify

OCSP Response:

openssl ocsp -respin ocsp.bin -text -noverify

This will print out the full response in a human-readable way that is useful for debugging, similar to the following:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: FD48ADDDCB7B00E20E842AA9B409F1AC3034CF96
          Issuer Key Hash: A0EA7389DB29FB108F9EE50120D4DE79994883F7
          Serial Number: 9014195F66FAFF8FD66E12496E516F4F
    Request Extensions:
        OCSP Nonce:
            0010DA634F2ADC31DC48AE89BE64E8252D12
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: A0EA7389DB29FB108F9EE50120D4DE79994883F7
    Produced At: Jan  1 08:45:00 2014 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: FD48ADDDCB7B00E20E842AA9B409F1AC3034CF96
      Issuer Key Hash: A0EA7389DB29FB108F9EE50120D4DE79994883F7
      Serial Number: 9114195F66FAFF8FD66E12496E516F4F
    Cert Status: good
    This Update: Jan  1 08:45:00 2014 GMT
    Next Update: Jan 16 09:00:00 2014 GMT
    Signature Algorithm: sha1WithRSAEncryption
         50:21:4c:dc:84:21:f7:a8:ac:a7:b9:bc:10:19:f8:19:f1:34:
         c1:63:ca:14:7f:8f:5a:85:2a:cc:02:b0:f8:b5:05:4a:0f:28:
         50:2a:4a:4d:04:01:b5:05:ef:a5:88:41:d8:9d:38:00:7d:76:
         1a:aa:ff:21:50:68:90:d2:0c:93:85:49:e7:8e:f1:58:08:77:
         a0:4e:e2:22:98:01:b7:e3:27:75:11:f5:b7:8f:e0:75:7d:19:
         9b:74:cf:05:dc:ae:1c:36:09:95:b6:08:bc:e7:3f:ea:a2:e3:
         ae:d7:8f:c0:9d:8e:c2:37:67:c7:5b:d8:b0:67:23:f1:51:53:
         26:c2:96:b0:1a:df:4e:fb:4e:e3:da:a3:98:26:59:a8:d7:17:
         69:87:a3:68:47:08:92:d0:37:04:6b:49:9a:96:9d:9c:b1:e8:
         cb:dc:68:7b:4a:4d:cb:08:f7:92:67:41:99:b6:54:56:80:0c:
         18:a7:24:53:ac:c6:da:1f:4d:f4:3c:7d:68:44:1d:a4:df:1d:
         48:07:85:52:86:59:46:d1:35:45:1a:c7:6b:6b:92:de:24:ae:
         c0:97:66:54:29:7a:c6:86:a6:da:9f:06:24:dc:ac:80:66:95:
         e0:eb:49:fd:fb:d4:81:6a:2b:81:41:57:24:78:3b:e0:66:70:
         d4:2e:52:92
cert.pem: good
    This Update: Jan  1 08:45:00 2014 GMT
    Next Update: Jan 16 09:00:00 2014 GMT