SSL certificates are an integral constituent successful securing information and connectivity to different systems. Learn tips connected however you tin usage the Linux openssl bid to find captious certificate details.
Image: Getty Images/iStockphoto
Administering SSL certificates tin beryllium rather a chore, particularly erstwhile it comes clip to renew oregon regenerate them. Expiring SSL certificates tin beryllium devastating for technological operations, with the interaction ranging from worrisome browser mistake messages to implicit accumulation outages. Therefore, it's important to not lone support an oculus connected upcoming SSL certificate expirations (network scans oregon astatine the precise slightest a log keeping way of these certificates are essential) but to wholly verify the occurrence of renewing/replacing these certificates.
SEE: 5 Linux server distributions you should beryllium using (TechRepublic Premium)
Certificate files successful Linux are mostly successful the /etc/pki/tls/certs folder oregon perchance wrong an application-specific folder specified arsenic /etc/httpd for Apache (depending connected the whim of the idiosyncratic oregon vendor who configured/built the application). These mostly usage .pem oregon .crt extensions and volition apt beryllium named '(hostname).pem' '(hostname).crt', but sometimes the generic "server" record sanction is utilized arsenic well.
The openssl bid is simply a veritable Swiss Army weapon of functions you tin usage to administer your certificates. To illustration the details of a peculiar certificate, tally the pursuing command:
openssl x509 -in (path to certificate and certificate filename) -text -nooutYou volition spot output akin to the following. The Issuer, Subject, Not Before/Note After and Subject Alternative Names fields volition person the astir utile details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:00:00:05:16:07:eb:1b:1d:9f:88:81:98:00:00:00:00:05:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=int, DC=dev, CN=dev issuing debased 01
Validity
Not Before: Mar 19 15:32:02 2021 GMT
Not After : Mar 19 15:42:02 2022 GMT
Subject: C=US, ST=MA, L=Boston, O=Contoso, OU=Systems, CN=test.contoso.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:0d:7a:8c:55:54:4f:ef:67:a7:a0:54:de:8f:
bd:6c:cd:fe:e5:01:22:40:90:df:39:97:5a:f6:76:
c1:d9:00:d7:88:7e:7b:63:65:99:59:be:08:4a:3c:
2b:63:13:0d:42:3e:95:9d:cf:2f:2e:48:35:0e:9c:
6c:3f:b5:fd:75:4f:7c:86:34:80:c1:86:be:bf:0e:
0a:da:a7:eb:8b:97:9f:29:34:1b:fa:c8:b4:f5:57:
ec:98:a9:d1:d4:dc:07:6e:e0:14:51:a3:7a:5e:1c:
b4:e6:a1:14:01:59:a3:a3:04:f0:75:0c:2e:6f:34:
2c:72:a8:51:09:0d:ad:53:f4:34:58:ab:23:01:b8:
51:1a:2c:c3:3f:e2:75:4e:8d:55:9a:2b:60:c4:60:
67:7e:e9:82:78:73:fe:fc:38:a3:1f:1b:30:f7:46:
95:4f:88:b1:97:e1:6d:f6:85:3c:79:37:f5:47:44:
66:16:ad:3a:f2:fc:ce:db:a4:0c:2d:6d:1e:9e:20:
b9:b5:eb:ba:de:93:3a:02:a7:80:3f:f5:ca:21:d2:
b1:34:56:ba:95:df:0f:3a:f5:fa:83:96:fe:aa:51:
20:9d:20:d5:b2:85:24:90:ea:c7:cd:5d:a2:e7:a5:
ff:c3:d2:23:f9:ba:8c:ad:37:8b:8f:84:ad:22:04:
fc:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: captious
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:test.contoso.com, DNS:testhost.contoso.com
X509v3 Subject Key Identifier:
93:F0:A5:5F:72:91:05:67:84:42:D2:0B:A1:48:54:8E:4E:BB:E0:A0
X509v3 Authority Key Identifier:
keyid:7D:F8:78:35:EE:A6:43:93:EF:E6:92:79:C9:15:49:12:51:77:EB:BB
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=dev%20issuing%20low%2001,CN=ca1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:ldap:///CN=dev%20issuing%20low%2001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dev,DC=int?cACertificate?base?objectClass=certificationAuthority
1.3.6.1.4.1.311.20.2:
...W.e.b.S.e.r.v.e.r
Signature Algorithm: sha256WithRSAEncryption
76:d6:6e:35:53:71:3b:1b:f6:12:23:b5:14:e2:73:c9:e7:d0:
68:e7:37:ab:35:bc:fc:e5:41:75:f1:84:11:20:ce:84:94:dc:
86:1d:11:7a:bd:a0:5a:8a:3b:ac:fc:f1:4d:5f:3a:3f:88:a8:
ff:ad:2e:2a:3f:91:a3:d5:28:f2:84:87:b6:17:62:a6:d2:d2:
25:34:e3:6d:c0:3b:93:f1:a2:22:8e:80:a1:fe:54:65:d6:10:
da:78:4b:0a:f7:eb:75:d5:9d:17:0b:87:8f:5c:2d:39:49:59:
b7:e6:b1:4a:c2:f0:de:68:6a:36:56:85:16:a4:01:46:21:b6:
49:33:0b:4a:ec:c5:69:6b:fa:ea:d7:d4:95:e1:f4:2d:17:c5:
ad:bd:1f:b6:73:cd:6c:ae:5d:ad:ed:0f:82:ed:43:1c:0e:ed:
54:93:83:d8:76:45:d6:45:3d:10:17:f4:eb:8a:84:e8:9a:9c:
c6:5c:92:df:2e:c0:64:6d:03:78:cd:59:dd:f3:e6:bb:5c:ac:
c0:9b:55:3f:a5:b6:12:90:0c:ea:e1:05:37:6b:19:86:53:f1:
83:d7:0b:23:6d:fe:5b:c8:2f:22:e3:b5:6a:bf:cd:45:27:62:
d8:1b:1c:a9:be:be:71:0c:07:bd:d3:c2:a4:63:1e:eb:7f:22:
31:3a:8b:25
It's besides arsenic utile to tally a cheque against the larboard associated with an SSL certificate (e.g., 443 for a web server). You tin tally this bid to cheque the expiration day of a certificate. I highly urge moving this earlier and aft replacing oregon renewing an SSL certificate to corroborate success. Note that erstwhile replacing exertion related certificates (such arsenic for Apache) you'll apt request to restart the exertion oregon it to prime up the caller certificate.
Either usage this bid connected the big strategy itself oregon tally it remotely against that system, substituting for "localhost" the afloat qualified domain sanction (FQDN) of the big you privation to cheque and changing the larboard 443 arsenic needed to lucifer the unfastened larboard associated with the SSL certificate.
openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -datesYou should person output akin to the following:
Not Before: Mar 19 15:32:02 2021 GMT
Not After : Mar 19 15:42:02 2022 GMT
This publication beneath tin besides beryllium utilized to extrapolate adjacent much details astir a certificate and arsenic supra tin beryllium utilized locally oregon remotely.
I telephone it ssl_validate.sh, but you tin transcript the contents into a caller publication record with immoderate sanction you like, usage chmod +x to marque it executable, and past usage it with the pursuing syntax:
./ssl_validate.sh (or whichever publication sanction you choose) server.company.com:443, wherever "server.company.com" is the afloat qualified domain sanction (FQDN) of the big you privation to cheque and 443 is the larboard it's listening connected associated with the SSL certificate.
You request to guarantee you person a way to that server and larboard specified arsenic done approved firewall entries.
The publication volition instrumentality output akin to the pursuing to show the astir salient details of the SSL certificate:
server.company.com:443 ; SSL ; CN: (CN of the SSL certificate) ; Subject (Subject of the SSL certificate) ; Issuer: (Issuer of the SSL certificate) ; notBefore: (Creation day of the SSL certificate) ; notAfter: (Expiration day of the SSL certificate) ; DaysUntilExpiration: (Days remaining until the SSL certificate expires) ; Errors: (Any related errors with the SSL certificate)
The publication starts below:
delim=" ; "
export delim
serverport=${1}
export serverport
echo "#${serverport}"
date_today=$(date +%F)
datediff() {
d1=$(date -d "$1" +%s)
d2=$(date -d "$2" +%s)
echo $(( (d1 - d2) / 86400 )) days
}
export -f datediff
sslscan() {
section sp=${1}
tls_content=$(echo "Q" | openssl s_client -showcerts -connect ${serverport} 2>&1)
if [[ "$?" == 0 ]]; then
tls_errors=$(echo "${tls_content}" | grep -i mistake )
tls_cert_subject=$(echo "${tls_content}" | openssl x509 -noout -subject )
tls_cert_issuer=$(echo "${tls_content}" | openssl x509 -noout -issuer )
tls_cert_cn=$(echo "${tls_content}" | openssl x509 -noout -subject | sed -e "s/.*CN=\([^\/]*\).*/\1/" )
tls_cert_dates=$(echo "${tls_content}" | openssl x509 -noout -dates )
tls_cert_notafter_date=$(echo "${tls_cert_dates}" | grep notAfter |sed -e "s/notAfter=//" | tr -d '\n')
tls_cert_notbefore_date=$(echo "${tls_cert_dates}" | grep notBefor |sed -e "s/notBefore=//" | tr -d '\n')
tls_cert_datediff=$(datediff "${tls_cert_notafter_date}" "${date_today}")
echo -n "${serverport} ${delim} SSL"
echo -n " ${delim} CN:"
echo -n " ${tls_cert_cn}"
echo -n " ${delim} Subject:"
echo -n " ${tls_cert_subject}"
echo -n " ${delim} Issuer:"
echo -n " ${tls_cert_issuer}"
echo -n " ${delim} notBefore:"
echo -n " ${tls_cert_notbefore_date}"
echo -n " ${delim} notAfter:"
echo -n " ${tls_cert_notafter_date}"
echo -n " ${delim} DaysUntilExpiration:"
echo -n " ${tls_cert_datediff}"
echo -n " ${delim} Errors:"
echo -n " ${tls_errors}"
echo
else
tls_errors=$(echo "${tls_content}" | tr '\n' '/' | tr ' ' '_' )
status="ERROR: ${tls_errors}"
echo -n "${serverport} ${delim} ${status}"
echo
fi
}
export -f sslscan
timeout 3 bash -c "sslscan ${serverport}"
if [[ $? != 0 ]]; then
echo -n "${serverport} ${delim} ERROR: CONNECTION_TIMED_OUT"
echo
fi
Cybersecurity Insider Newsletter
Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays
Sign up todayAlso see
- 3 reasons to commencement utilizing SSL certificates close now (TechRepublic)
- Linux turns 30: Celebrating the unfastened root operating strategy (free PDF) (TechRepublic)
- Windows, Linux, and Mac commands everyone needs to cognize (free PDF) (TechRepublic)
- How to go a developer: A cheat sheet (TechRepublic)
- Best practices for Linux admins (TechRepublic Premium)
- From commencement to finish: How to deploy an LDAP server (TechRepublic Premium)
- Linux, Android, and much unfastened root tech coverage (TechRepublic connected Flipboard)
English (US) ·