mttjohnson/ssl_certificate_validation.sh

## ssl_certificate_validation.sh
# Verify SSL
ssl_domain=mydomainnametotest.com
openssl rsa -noout -modulus -in $ssl_domain.key | openssl md5
openssl req -noout -modulus -in $ssl_domain.csr | openssl md5
openssl x509 -noout -modulus -in $ssl_domain.crt | openssl md5

# Output text of certificate
openssl x509 -text -in /etc/nginx/ssl/$ssl_domain.crt

# Get details of all certs in .crt bundle file to verify certificate chain
# Compare the Issuer of the domain certificate with the Subject of the intermediate certificate
cat /etc/nginx/ssl/$ssl_domain.crt | perl -e 'my $input = ""; my $i=1;
foreach (<>) {
   $input .= $_;
   if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
      print "Certificate " . $i . ":\n";
      print `echo "$input" | openssl x509 -noout -subject -subject_hash -issuer -issuer_hash -dates` . "\n";
      $input = ""; $i++;
   }
}'

cat /etc/nginx/ssl/$ssl_domain.crt | perl -e 'my $input = ""; my $i=1; my $issuer; my $subject;
foreach (<>) {
   $input .= $_;
   if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
      $issuer = `echo "$input" | openssl x509 -noout -issuer_hash`;
      $subject = `echo "$input" | openssl x509 -noout -subject_hash`;
      $input = ""; $i++;
   }
}
if ($issuer != "" && $issuer != $subject) {
    print "1st certificate issuer matches 2nd certificate subject\n";
} else {
    print "issuer subject missmatch\n";
}'


# print details of a request
echo "
-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----
" | openssl req -text

# print details of a certificate
echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" | openssl x509 -text


# compare multiple certificates for chain certificate issuer validation
echo "
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
" | perl -e 'my $input = ""; my $i=1;
foreach (<>) {
   $input .= $_;
   if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
      print "Certificate " . $i . ":\n";
      print `echo "$input" | openssl x509 -noout -subject -subject_hash -issuer -issuer_hash -dates` . "\n";
      $input = ""; $i++;
   }
}'


# Use curl to check SSL
ssl_domain="example.com"
ssl_ip_address="1.2.3.4"
curl -sv https://${ssl_domain}/ --resolve "${ssl_domain}:443:${ssl_ip_address}" > /dev/null

# use openssl to connect directly to the server
openssl s_client -connect ${ssl_domain}:443

# display all certificate with SNI support
echo | openssl s_client -showcerts -servername ${ssl_domain} -connect ${ssl_domain}:443 2>/dev/null | openssl x509 -inform pem -noout -text


# Nice reference for explaining how to get all the pieces together manually for verifying against a CRL
# https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html


# export all user certificates from the MacOs keychain
security export -t certs -o certs.pem


ssl_domain="www.microsoft.com"
ssl_port="443"

ssl_domain="test-sspev.verisign.com"
ssl_port="2443"


# For Linux
# get default openssl directory
ca_path=$(openssl version -d | perl -nle 'print $& if m{(?<=OPENSSLDIR: ").+(?=")}')
trusted_root_cas="${ca_path}/cert.pem"

# For MacOs
# Use Keychain Access to export all trusted root certificates to a file ExportedTrustedRootCAsFromKeychain.pem
# http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/
trusted_root_cas="/temp/ExportedTrustedRootCAsFromKeychain.pem"

# concatenante {echo "all chain certificates"; echo "trusted root cert authorities"; echo "crl";}
# output all chain certificates
# - get all certificate output plus all certificate chains from ${ssl_domain}
# - extract only the certificate portion
# - exclude the domain certificate and extract only the chained certificates
# - remove null character from output
# output trusted root cert authorities
# output crl
# - get certificate output from ${ssl_domain}
# - extract crl details from certificate
# - extract crl uri
# - retrieve crl
# - output crl in pem format
#
# save output to temp_crl_chain.pem
{ \
openssl s_client -connect ${ssl_domain}:${ssl_port} -showcerts 2>&1 < /dev/null | \
    awk '/-----BEGIN/,/END CERTIFICATE/' | \
    perl -0 -nle 'print $& if m{(?<=-----END CERTIFICATE-----\s)-----BEGIN CERTIFICATE-----.+}s' | \
    tr -d '\000'; \
cat ${trusted_root_cas}; \
openssl s_client -connect ${ssl_domain}:${ssl_port} 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' | \
    openssl x509 -noout -text | grep -A 4 'X509v3 CRL Distribution Points' | \
    perl -nle 'print $& if m{(?<=URI:).+\.crl}' | \
    xargs -n 1 wget -q -O - | \
    openssl crl -inform DER -outform PEM; \
} > temp_crl_chain.pem

# save certificate to domain.pem
openssl s_client -connect ${ssl_domain}:${ssl_port} 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > temp_domain.crt

# openssl verify
openssl verify -verbose -crl_check -CAfile temp_crl_chain.pem temp_domain.crt

# remove temp files used to verify cert
rm temp_crl_chain.pem temp_domain.crt


# Certificate Request Values
SSL_KEY="/etc/nginx/ssl/www.example.com.key"
SSL_CSR="/etc/nginx/ssl/www.example.com.csr"
SSL_REQ_COUNTRY="US"
SSL_REQ_STATE="Missouri"
SSL_REQ_LOCALITY="Springfield"
SSL_REQ_ORGANIZATION="Example Company"
SSL_REQ_ORGANIZATIONALUNIT="Example Department"
SSL_REQ_COMMONNAME="example.com"
SSL_REQ_EMAIL="webmaster@example.com"

# Generate key and CSR (scripted) all-in-one
openssl req -new -nodes -sha256 \
   -newkey rsa:4096 \
   -keyout ${SSL_KEY} \
   -out ${SSL_CSR} \
   -subj "/C=${SSL_REQ_COUNTRY}/ST=${SSL_REQ_STATE}/L=${SSL_REQ_LOCALITY}/O=${SSL_REQ_ORGANIZATION}/OU=${SSL_REQ_ORGANIZATIONALUNIT}/CN=${SSL_REQ_COMMONNAME}/emailAddress=${SSL_REQ_EMAIL}"

# Generate CSR (scripted) key creation separate
openssl genrsa -out ${SSL_KEY} 4096
openssl req -new -sha256 \
  -key ${SSL_KEY} \
  -out ${SSL_CSR} \
  -subj "/C=${SSL_REQ_COUNTRY}/ST=${SSL_REQ_STATE}/L=${SSL_REQ_LOCALITY}/O=${SSL_REQ_ORGANIZATION}/OU=${SSL_REQ_ORGANIZATIONALUNIT}/CN=${SSL_REQ_COMMONNAME}/emailAddress=${SSL_REQ_EMAIL}"


# Certificate Renewal
SSL_KEY="/etc/nginx/ssl/www.example.com.key"
SSL_CSR="/etc/nginx/ssl/www.example.com.csr"
SSL_EXISTING_CRT="/etc/nginx/ssl/www.example.com.crt"

# preserve file modification timestamp when copying file
OLD_CSR_MODIFY_YEAR=$(date +%Y -r ${SSL_CSR})
echo "${OLD_CSR_MODIFY_YEAR}"
cp -p ${SSL_CSR} ${SSL_CSR}-${OLD_CSR_MODIFY_YEAR}
cp -p ${SSL_EXISTING_CRT} ${SSL_EXISTING_CRT}-${OLD_CSR_MODIFY_YEAR}

# Generate new CSR from existing Certificate
openssl x509 -x509toreq -in ${SSL_EXISTING_CRT} -signkey ${SSL_KEY} -out ${SSL_CSR}


# Human Readable Output of CSR
openssl req -text -in ${SSL_CSR}

# CSR Text
cat ${SSL_CSR}
	# Verify SSL
	ssl_domain=mydomainnametotest.com
	openssl rsa -noout -modulus -in $ssl_domain.key \| openssl md5
	openssl req -noout -modulus -in $ssl_domain.csr \| openssl md5
	openssl x509 -noout -modulus -in $ssl_domain.crt \| openssl md5

	# Output text of certificate
	openssl x509 -text -in /etc/nginx/ssl/$ssl_domain.crt

	# Get details of all certs in .crt bundle file to verify certificate chain
	# Compare the Issuer of the domain certificate with the Subject of the intermediate certificate
	cat /etc/nginx/ssl/$ssl_domain.crt \| perl -e 'my $input = ""; my $i=1;
	foreach (<>) {
	$input .= $_;
	if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
	print "Certificate " . $i . ":\n";
	print `echo "$input" \| openssl x509 -noout -subject -subject_hash -issuer -issuer_hash -dates` . "\n";
	$input = ""; $i++;
	}
	}'

	cat /etc/nginx/ssl/$ssl_domain.crt \| perl -e 'my $input = ""; my $i=1; my $issuer; my $subject;
	foreach (<>) {
	$input .= $_;
	if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
	$issuer = `echo "$input" \| openssl x509 -noout -issuer_hash`;
	$subject = `echo "$input" \| openssl x509 -noout -subject_hash`;
	$input = ""; $i++;
	}
	}
	if ($issuer != "" && $issuer != $subject) {
	print "1st certificate issuer matches 2nd certificate subject\n";
	} else {
	print "issuer subject missmatch\n";
	}'


	# print details of a request
	echo "
	-----BEGIN CERTIFICATE REQUEST-----

	-----END CERTIFICATE REQUEST-----
	" \| openssl req -text

	# print details of a certificate
	echo "
	-----BEGIN CERTIFICATE-----

	-----END CERTIFICATE-----
	" \| openssl x509 -text



	# compare multiple certificates for chain certificate issuer validation
	echo "
	-----BEGIN CERTIFICATE-----

	-----END CERTIFICATE-----
	" \| perl -e 'my $input = ""; my $i=1;
	foreach (<>) {
	$input .= $_;
	if($_ =~ /^\-+END(\s\w+)?\sCERTIFICATE\-+$/) {
	print "Certificate " . $i . ":\n";
	print `echo "$input" \| openssl x509 -noout -subject -subject_hash -issuer -issuer_hash -dates` . "\n";
	$input = ""; $i++;
	}
	}'


	# Use curl to check SSL
	ssl_domain="example.com"
	ssl_ip_address="1.2.3.4"
	curl -sv https://${ssl_domain}/ --resolve "${ssl_domain}:443:${ssl_ip_address}" > /dev/null

	# use openssl to connect directly to the server
	openssl s_client -connect ${ssl_domain}:443

	# display all certificate with SNI support
	echo \| openssl s_client -showcerts -servername ${ssl_domain} -connect ${ssl_domain}:443 2>/dev/null \| openssl x509 -inform pem -noout -text




	# Nice reference for explaining how to get all the pieces together manually for verifying against a CRL
	# https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html



	# export all user certificates from the MacOs keychain
	security export -t certs -o certs.pem



	ssl_domain="www.microsoft.com"
	ssl_port="443"

	ssl_domain="test-sspev.verisign.com"
	ssl_port="2443"



	# For Linux
	# get default openssl directory
	ca_path=$(openssl version -d \| perl -nle 'print $& if m{(?<=OPENSSLDIR: ").+(?=")}')
	trusted_root_cas="${ca_path}/cert.pem"

	# For MacOs
	# Use Keychain Access to export all trusted root certificates to a file ExportedTrustedRootCAsFromKeychain.pem
	# http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/
	trusted_root_cas="/temp/ExportedTrustedRootCAsFromKeychain.pem"

	# concatenante {echo "all chain certificates"; echo "trusted root cert authorities"; echo "crl";}
	# output all chain certificates
	# - get all certificate output plus all certificate chains from ${ssl_domain}
	# - extract only the certificate portion
	# - exclude the domain certificate and extract only the chained certificates
	# - remove null character from output
	# output trusted root cert authorities
	# output crl
	# - get certificate output from ${ssl_domain}
	# - extract crl details from certificate
	# - extract crl uri
	# - retrieve crl
	# - output crl in pem format
	#
	# save output to temp_crl_chain.pem
	{ \
	openssl s_client -connect ${ssl_domain}:${ssl_port} -showcerts 2>&1 < /dev/null \| \
	awk '/-----BEGIN/,/END CERTIFICATE/' \| \
	perl -0 -nle 'print $& if m{(?<=-----END CERTIFICATE-----\s)-----BEGIN CERTIFICATE-----.+}s' \| \
	tr -d '\000'; \
	cat ${trusted_root_cas}; \
	openssl s_client -connect ${ssl_domain}:${ssl_port} 2>&1 < /dev/null \| sed -n '/-----BEGIN/,/-----END/p' \| \
	openssl x509 -noout -text \| grep -A 4 'X509v3 CRL Distribution Points' \| \
	perl -nle 'print $& if m{(?<=URI:).+\.crl}' \| \
	xargs -n 1 wget -q -O - \| \
	openssl crl -inform DER -outform PEM; \
	} > temp_crl_chain.pem

	# save certificate to domain.pem
	openssl s_client -connect ${ssl_domain}:${ssl_port} 2>&1 < /dev/null \| sed -n '/-----BEGIN/,/-----END/p' > temp_domain.crt

	# openssl verify
	openssl verify -verbose -crl_check -CAfile temp_crl_chain.pem temp_domain.crt

	# remove temp files used to verify cert
	rm temp_crl_chain.pem temp_domain.crt





	# Certificate Request Values
	SSL_KEY="/etc/nginx/ssl/www.example.com.key"
	SSL_CSR="/etc/nginx/ssl/www.example.com.csr"
	SSL_REQ_COUNTRY="US"
	SSL_REQ_STATE="Missouri"
	SSL_REQ_LOCALITY="Springfield"
	SSL_REQ_ORGANIZATION="Example Company"
	SSL_REQ_ORGANIZATIONALUNIT="Example Department"
	SSL_REQ_COMMONNAME="example.com"
	SSL_REQ_EMAIL="webmaster@example.com"

	# Generate key and CSR (scripted) all-in-one
	openssl req -new -nodes -sha256 \
	-newkey rsa:4096 \
	-keyout ${SSL_KEY} \
	-out ${SSL_CSR} \
	-subj "/C=${SSL_REQ_COUNTRY}/ST=${SSL_REQ_STATE}/L=${SSL_REQ_LOCALITY}/O=${SSL_REQ_ORGANIZATION}/OU=${SSL_REQ_ORGANIZATIONALUNIT}/CN=${SSL_REQ_COMMONNAME}/emailAddress=${SSL_REQ_EMAIL}"

	# Generate CSR (scripted) key creation separate
	openssl genrsa -out ${SSL_KEY} 4096
	openssl req -new -sha256 \
	-key ${SSL_KEY} \
	-out ${SSL_CSR} \
	-subj "/C=${SSL_REQ_COUNTRY}/ST=${SSL_REQ_STATE}/L=${SSL_REQ_LOCALITY}/O=${SSL_REQ_ORGANIZATION}/OU=${SSL_REQ_ORGANIZATIONALUNIT}/CN=${SSL_REQ_COMMONNAME}/emailAddress=${SSL_REQ_EMAIL}"




	# Certificate Renewal
	SSL_KEY="/etc/nginx/ssl/www.example.com.key"
	SSL_CSR="/etc/nginx/ssl/www.example.com.csr"
	SSL_EXISTING_CRT="/etc/nginx/ssl/www.example.com.crt"

	# preserve file modification timestamp when copying file
	OLD_CSR_MODIFY_YEAR=$(date +%Y -r ${SSL_CSR})
	echo "${OLD_CSR_MODIFY_YEAR}"
	cp -p ${SSL_CSR} ${SSL_CSR}-${OLD_CSR_MODIFY_YEAR}
	cp -p ${SSL_EXISTING_CRT} ${SSL_EXISTING_CRT}-${OLD_CSR_MODIFY_YEAR}

	# Generate new CSR from existing Certificate
	openssl x509 -x509toreq -in ${SSL_EXISTING_CRT} -signkey ${SSL_KEY} -out ${SSL_CSR}




	# Human Readable Output of CSR
	openssl req -text -in ${SSL_CSR}

	# CSR Text
	cat ${SSL_CSR}