The way to make the most of openssl in Linux to verify SSL certificates particulars

SSL certificates are an integral half in securing information and connectivity to completely totally different strategies. Look at options on the way it’s worthwhile to make use of the Linux openssl command to look out vital certificates particulars.

Picture: Getty Photos/iStockphoto

Administering SSL certificates may be fairly a chore, considerably when it comes time to resume or alternate them. Expiring SSL certificates may be devastating for technological operations, with the impression starting from worrisome browser error messages to finish manufacturing outages. Subsequently, it is vital to not solely administration upcoming SSL certificates expirations (neighborhood scans or on the very least a log retaining monitor of those certificates are essential) however to fully affirm the success of renewing/altering these certificates.

Certificates recordsdata in Linux are often contained in the /and so forth/pki/tls/certs folder or presumably inside an application-specific folder equal to /and so forth/httpd for Apache (relying on the whim of the individual or vendor who configured/constructed the gear). These often use .pem or .crt extensions and may doable be named ‘(hostname).pem’ ‘(hostname).crt’, however usually the generic “server” file set up is used as appropriately.

The openssl command is a veritable Swiss Military knife of capabilities it is worthwhile to make use of to deal with your certificates. To event the main points of a specific certificates, run the next command:

openssl x509 -in (path to certificates and certificates filename) -text -noout

You will uncover output similar to the next. The Issuer, Topic, Not Before/Keep in mind After and Topic Various Names fields can have most probably basically essentially the most helpful particulars:

Certificates:
Knowledge:
Model: 3 (0x2)
Serial Quantity:
11:00:00:05:16:07:eb:1b:1d:9f:88:81:98:00:00:00:00:05:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=int, DC=dev, CN=dev issuing low 01
Validity
Not Before: Mar 19 15:32:02 2021 GMT
Not After : Mar 19 15:42:02 2022 GMT
Topic: C=US, ST=MA, L=Boston, O=Contoso, OU=Purposes, CN=try.contoso.com
Topic Public Key Knowledge:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:0d:7a:8c:55:54:4f:ef:67:a7:a0:54:de:8f:
bd:6c:cd:fe:e5:01:22:40:90:df:39:97:5a:f6:76:
c1:d9:00:d7:88:7e:7b:63:65:99:59:be:08:4a:3c:
2b:63:13:0d:42:3e:95:9d:cf:2f:2e:48:35:0e:9c:
6c:3f:b5:fd:75:4f:7c:86:34:80:c1:86:be:bf:0e:
0a:da:a7:eb:8b:97:9f:29:34:1b:fa:c8:b4:f5:57:
ec:98:a9:d1:d4:dc:07:6e:e0:14:51:a3:7a:5e:1c:
b4:e6:a1:14:01:59:a3:a3:04:f0:75:0c:2e:6f:34:
2c:72:a8:51:09:0d:advert:53:f4:34:58:ab:23:01:b8:
51:1a:2c:c3:3f:e2:75:4e:8d:55:9a:2b:60:c4:60:
67:7e:e9:82:78:73:fe:fc:38:a3:1f:1b:30:f7:46:
95:4f:88:b1:97:e1:6d:f6:85:3c:79:37:f5:47:44:
66:16:advert:3a:f2:fc:ce:db:a4:0c:second:6d:1e:9e:20:
b9:b5:eb:ba:de:93:3a:02:a7:80:3f:f5:ca:21:d2:
b1:34:56:ba:95:df:0f:3a:f5:fa:83:96:fe:aa:51:
20:9d:20:d5:b2:85:24:90:ea:c7:cd:5d:a2:e7:a5:
ff:c3:d2:23:f9:ba:8c:advert:37:8b:8f:84:advert:22:04:
fc:second
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Utilization: vital
Digital Signature, Key Encipherment
X509v3 Prolonged Key Utilization:
TLS Web Server Authentication
X509v3 Topic Various Decide:
DNS:try.contoso.com, DNS:testhost.contoso.com
X509v3 Topic Key Identifier:
93:F0:A5:5F:72:91:05:67:84:42:D2:0B:A1:48:54:8E:4E:BB:E0:A0
X509v3 Authority Key Identifier:
keyid:7D:F8:78:35:EE:A6:43:93:EF:E6:92:79:C9:15:49:12:51:77:EB:BB

X509v3 CRL Distribution Parts:

Full Decide:
URI:ldap:///CN=devpercent20issuingpercent20lowpercent2001,CN=ca1,CN=CDP,CN=Publicpercent20Keypercent20Services,CN=Firms,CN=Configuration,DC=dev,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint

Authority Knowledge Entry:
CA Issuers – URI:ldap:///CN=devpercent20issuingpercent20lowpercent2001,CN=AIA,CN=Publicpercent20Keypercent20Services,CN=Firms,CN=Configuration,DC=dev,DC=int?cACertificate?base?objectClass=certificationAuthority

1.3.6.1.4.1.311.20.2:
…W.e.b.S.e.r.v.e.r
Signature Algorithm: sha256WithRSAEncryption
76:d6:6e:35:53:71:3b:1b:f6:12:23:b5:14:e2:73:c9:e7:d0:
68:e7:37:ab:35:bc:fc:e5:41:75:f1:84:11:20:ce:84:94:dc:
86:1d:11:7a:bd:a0:5a:8a:3b:ac:fc:f1:4d:5f:3a:3f:88:a8:
ff:advert:2e:2a:3f:91:a3:d5:28:f2:84:87:b6:17:62:a6:d2:d2:
25:34:e3:6d:c0:3b:93:f1:a2:22:8e:80:a1:fe:54:65:d6:10:
da:78:4b:0a:f7:eb:75:d5:9d:17:0b:87:8f:5c:second:39:49:59:
b7:e6:b1:4a:c2:f0:de:68:6a:36:56:85:16:a4:01:46:21:b6:
49:33:0b:4a:ec:c5:69:6b:fa:ea:d7:d4:95:e1:f4:second:17:c5:
advert:bd:1f:b6:73:cd:6c:ae:5d:advert:ed:0f:82:ed:43:1c:0e:ed:
54:93:83:d8:76:45:d6:45:3d:10:17:f4:eb:8a:84:e8:9a:9c:
c6:5c:92:df:2e:c0:64:6d:03:78:cd:59:dd:f3:e6:bb:5c:ac:
c0:9b:55:3f:a5:b6:12:90:0c:ea:e1:05:37:6b:19:86:53:f1:
83:d7:0b:23:6d:fe:5b:c8:2f:22:e3:b5:6a:bf:cd:45:27:62:
d8:1b:1c:a9:be:be:71:0c:07:bd:d3:c2:a4:63:1e:eb:7f:22:
31:3a:8b:25

Moreover it’s equally helpful to run a check out within the route of the port related to an SSL certificates (e.g., 443 for an internet server). You’ll be able to run this command to verify the expiration date of a certificates. I terribly counsel working this before and after altering or renewing an SSL certificates to substantiate success. Keep in mind that when altering utility associated certificates (equal to for Apache) you may doable should restart the gear or it to choose up the mannequin new certificates.

Every use this command on the host system itself or run it remotely within the route of that system, substituting for “localhost” the fully licensed house set up (FQDN) of the host you want to check out and altering the port 443 as wished to match the open port related to the SSL certificates.

openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates

You have to to obtain output similar to the next:

Not Before: Mar 19 15:32:02 2021 GMT
Not After : Mar 19 15:42:02 2022 GMT

This script under will even be used to extrapolate slightly extra particulars a couple of certificates and as above shall be utilized domestically or remotely.

I establish it ssl_validate.sh, however you may copy the contents proper right into a mannequin new script file with regardless of set up you want, use chmod +x to make it executable, after which use it with the next syntax:

./ssl_validate.sh (or whichever script set up you select) server.company.com:443, the place “server.company.com” is the fully licensed house set up (FQDN) of the host you want to check out and 443 is the port it is listening on related to the SSL certificates.

It is very important guarantee you might have a path to that server and port equal to by way of permitted firewall entries.

The script will return output similar to the next to point most probably basically essentially the most salient particulars of the SSL certificates:

server.company.com:443  ;  SSL  ;  CN: (CN of the SSL certificates) ;  Topic (Topic of the SSL certificates)  ;  Issuer: (Issuer of the SSL certificates)   ;  notBefore: (Creation date of the SSL certificates) ;  notAfter: (Expiration date of the SSL certificates)  ;  DaysUntilExpiration: (Days remaining till the SSL certificates expires)  ;  Errors:  (Any associated errors with the SSL certificates)

The script begins under:

delim=” ; ”

export delim

serverport=$1

export serverport

echo “#$serverport”

date_today=$(date +%F)

datediff()

d1=$(date -d “$1” +%s)

d2=$(date -d “$2” +%s)

echo $(( (d1 – d2) / 86400 )) days

export -f datediff

sslscan() sed -e “s/.*CN=([^/]*).*/1/” )

tls_cert_dates=$(echo “$tls_content”

export -f sslscan

timeout 3 bash -c “sslscan $serverport”

if [[ $? != 0 ]]; then

echo -n “$serverport $delim ERROR: CONNECTION_TIMED_OUT”

echo

Source link

Published
Categorized as Technology

By Techfeeddata

I am Sanjit Gupta. I have completed my BMS then MMS both in marketing. I even did a diploma in computer software and Digital Marketing.

View all of Techfeeddata's posts.

Leave a comment

Your email address will not be published. Required fields are marked *