URI of the OCSP server can be retrieved from the client’s certificate with the following command:

openssl x509 -in cert.crt -noout -ocsp_uri

If intermediate certificates are received as a single file (.ca-bundle), it will be necessary to open this file with any text editor, extract the very first certificate from it and save the file with the retrieved certificate as, for example, intermediate.crt.

Once done, a request to the OCSP server can be sent by running the following command:

openssl ocsp -no_nonce -issuer intermediate.crt -cert cert.crt -url [OCSP_URI] -VAfile intermediate.crt

State good:

State revoked:

Get CRL-Lines:

openssl x509 -in cert.crt -noout -text | grep crl

Download the content of the http-Link with wget (Linux/Unix) or Invoke-WebRequest (Windows Powershell)

Then, the serial number of the end-entity certificate needs to be retrieved by executing the following command:

openssl x509 -in cert.crt -noout -serial

As soon as the serial number is retrieved, it will be possible to check whether or not the certificate is added to the CRL. To perform the check, run the following command:

openssl crl -inform DER -text -in [name of downloaded CRL] | grep [serial number of client's certificate you would like to check]

If there is no output, it means that certificate is not added to CRL. If the output looks like on the screenshot below, it means that the certificate is added to CRL:

If the certificate is on the CRL, the certificate is revoked and should not used any further

https://www.namecheap.com/support/knowledgebase/article.aspx/9968/38/how-to-check-the-certificate-revocation-status/