Last active
October 17, 2023 16:01
-
-
Save mttjohnson/8b1fbc2067c5caebb86d762234b1daa1 to your computer and use it in GitHub Desktop.
SSL Certificate Validation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Verify SSL | |
ssl_domain=mydomainnametotest.com | |
openssl rsa -noout -modulus -in $ssl_domain.key | openssl md5 | |
openssl req -noout -modulus -in $ssl_domain.csr | openssl md5 | |
openssl x509 -noout -modulus -in $ssl_domain.crt | openssl md5 | |
# Output text of certificate | |
openssl x509 -text -in /etc/nginx/ssl/$ssl_domain.crt | |
# Get details of all certs in .crt bundle file to verify certificate chain | |
# Compare the Issuer of the domain certificate with the Subject of the intermediate certificate | |
cat /etc/nginx/ssl/$ssl_domain.crt | perl -e 'my $input = ""; my $i=1; | |
foreach (<>) { | |
$input .= $_; | |
if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) { | |
print "Certificate " . $i . ":\n"; | |
print `echo "$input" | openssl x509 -noout -subject -subject_hash -issuer -issuer_hash -dates` . "\n"; | |
$input = ""; $i++; | |
} | |
}' | |
cat /etc/nginx/ssl/$ssl_domain.crt | perl -e 'my $input = ""; my $i=1; my $issuer; my $subject; | |
foreach (<>) { | |
$input .= $_; | |
if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) { | |
$issuer = `echo "$input" | openssl x509 -noout -issuer_hash`; | |
$subject = `echo "$input" | openssl x509 -noout -subject_hash`; | |
$input = ""; $i++; | |
} | |
} | |
if ($issuer != "" && $issuer != $subject) { | |
print "1st certificate issuer matches 2nd certificate subject\n"; | |
} else { | |
print "issuer subject missmatch\n"; | |
}' | |
# print details of a request | |
echo " | |
-----BEGIN CERTIFICATE REQUEST----- | |
-----END CERTIFICATE REQUEST----- | |
" | openssl req -text | |
# print details of a certificate | |
echo " | |
-----BEGIN CERTIFICATE----- | |
-----END CERTIFICATE----- | |
" | openssl x509 -text | |
# compare multiple certificates for chain certificate issuer validation | |
echo " | |
-----BEGIN CERTIFICATE----- | |
-----END CERTIFICATE----- | |
" | perl -e 'my $input = ""; my $i=1; | |
foreach (<>) { | |
$input .= $_; | |
if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) { | |
print "Certificate " . $i . ":\n"; | |
print `echo "$input" | openssl x509 -noout -subject -subject_hash -issuer -issuer_hash -dates` . "\n"; | |
$input = ""; $i++; | |
} | |
}' | |
# Use curl to check SSL | |
ssl_domain="example.com" | |
ssl_ip_address="1.2.3.4" | |
curl -sv https://${ssl_domain}/ --resolve "${ssl_domain}:443:${ssl_ip_address}" > /dev/null | |
# use openssl to connect directly to the server | |
openssl s_client -connect ${ssl_domain}:443 | |
# display all certificate with SNI support | |
echo | openssl s_client -showcerts -servername ${ssl_domain} -connect ${ssl_domain}:443 2>/dev/null | openssl x509 -inform pem -noout -text | |
# Nice reference for explaining how to get all the pieces together manually for verifying against a CRL | |
# https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html | |
# export all user certificates from the MacOs keychain | |
security export -t certs -o certs.pem | |
ssl_domain="www.microsoft.com" | |
ssl_port="443" | |
ssl_domain="test-sspev.verisign.com" | |
ssl_port="2443" | |
# For Linux | |
# get default openssl directory | |
ca_path=$(openssl version -d | perl -nle 'print $& if m{(?<=OPENSSLDIR: ").+(?=")}') | |
trusted_root_cas="${ca_path}/cert.pem" | |
# For MacOs | |
# Use Keychain Access to export all trusted root certificates to a file ExportedTrustedRootCAsFromKeychain.pem | |
# http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/ | |
trusted_root_cas="/temp/ExportedTrustedRootCAsFromKeychain.pem" | |
# concatenante {echo "all chain certificates"; echo "trusted root cert authorities"; echo "crl";} | |
# output all chain certificates | |
# - get all certificate output plus all certificate chains from ${ssl_domain} | |
# - extract only the certificate portion | |
# - exclude the domain certificate and extract only the chained certificates | |
# - remove null character from output | |
# output trusted root cert authorities | |
# output crl | |
# - get certificate output from ${ssl_domain} | |
# - extract crl details from certificate | |
# - extract crl uri | |
# - retrieve crl | |
# - output crl in pem format | |
# | |
# save output to temp_crl_chain.pem | |
{ \ | |
openssl s_client -connect ${ssl_domain}:${ssl_port} -showcerts 2>&1 < /dev/null | \ | |
awk '/-----BEGIN/,/END CERTIFICATE/' | \ | |
perl -0 -nle 'print $& if m{(?<=-----END CERTIFICATE-----\s)-----BEGIN CERTIFICATE-----.+}s' | \ | |
tr -d '\000'; \ | |
cat ${trusted_root_cas}; \ | |
openssl s_client -connect ${ssl_domain}:${ssl_port} 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | \ | |
openssl x509 -noout -text | grep -A 4 'X509v3 CRL Distribution Points' | \ | |
perl -nle 'print $& if m{(?<=URI:).+\.crl}' | \ | |
xargs -n 1 wget -q -O - | \ | |
openssl crl -inform DER -outform PEM; \ | |
} > temp_crl_chain.pem | |
# save certificate to domain.pem | |
openssl s_client -connect ${ssl_domain}:${ssl_port} 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > temp_domain.crt | |
# openssl verify | |
openssl verify -verbose -crl_check -CAfile temp_crl_chain.pem temp_domain.crt | |
# remove temp files used to verify cert | |
rm temp_crl_chain.pem temp_domain.crt | |
# Certificate Request Values | |
SSL_KEY="/etc/nginx/ssl/www.example.com.key" | |
SSL_CSR="/etc/nginx/ssl/www.example.com.csr" | |
SSL_REQ_COUNTRY="US" | |
SSL_REQ_STATE="Missouri" | |
SSL_REQ_LOCALITY="Springfield" | |
SSL_REQ_ORGANIZATION="Example Company" | |
SSL_REQ_ORGANIZATIONALUNIT="Example Department" | |
SSL_REQ_COMMONNAME="example.com" | |
SSL_REQ_EMAIL="webmaster@example.com" | |
# Generate key and CSR (scripted) all-in-one | |
openssl req -new -nodes -sha256 \ | |
-newkey rsa:4096 \ | |
-keyout ${SSL_KEY} \ | |
-out ${SSL_CSR} \ | |
-subj "/C=${SSL_REQ_COUNTRY}/ST=${SSL_REQ_STATE}/L=${SSL_REQ_LOCALITY}/O=${SSL_REQ_ORGANIZATION}/OU=${SSL_REQ_ORGANIZATIONALUNIT}/CN=${SSL_REQ_COMMONNAME}/emailAddress=${SSL_REQ_EMAIL}" | |
# Generate CSR (scripted) key creation separate | |
openssl genrsa -out ${SSL_KEY} 4096 | |
openssl req -new -sha256 \ | |
-key ${SSL_KEY} \ | |
-out ${SSL_CSR} \ | |
-subj "/C=${SSL_REQ_COUNTRY}/ST=${SSL_REQ_STATE}/L=${SSL_REQ_LOCALITY}/O=${SSL_REQ_ORGANIZATION}/OU=${SSL_REQ_ORGANIZATIONALUNIT}/CN=${SSL_REQ_COMMONNAME}/emailAddress=${SSL_REQ_EMAIL}" | |
# Certificate Renewal | |
SSL_KEY="/etc/nginx/ssl/www.example.com.key" | |
SSL_CSR="/etc/nginx/ssl/www.example.com.csr" | |
SSL_EXISTING_CRT="/etc/nginx/ssl/www.example.com.crt" | |
# preserve file modification timestamp when copying file | |
OLD_CSR_MODIFY_YEAR=$(date +%Y -r ${SSL_CSR}) | |
echo "${OLD_CSR_MODIFY_YEAR}" | |
cp -p ${SSL_CSR} ${SSL_CSR}-${OLD_CSR_MODIFY_YEAR} | |
cp -p ${SSL_EXISTING_CRT} ${SSL_EXISTING_CRT}-${OLD_CSR_MODIFY_YEAR} | |
# Generate new CSR from existing Certificate | |
openssl x509 -x509toreq -in ${SSL_EXISTING_CRT} -signkey ${SSL_KEY} -out ${SSL_CSR} | |
# Human Readable Output of CSR | |
openssl req -text -in ${SSL_CSR} | |
# CSR Text | |
cat ${SSL_CSR} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment