check in kubernetes certifactes as well
verify local cert
s_client
$ openssl s_client -state -msg -connect my.server.com:443
with cert debug
$ openssl s_client -state \
-debug \
-connect my.server.com:443 \
-cert my.server.com-server.crt \
-key my.server.com-server.key \
curl
$ curl -vvv \
[--cacert server.crt \]
https://my.server.com:443/artifactory
- or
$ curl -vvv \ -i \ -L \ [--cacert server.crt \] \ https://my.server.com:443/artifactory
openssl
get crt information
ca.crt
$ openssl verify ca.crt
- or
$ openssl x509 -noout -text -in ca.crt
- or
server.crt
$ openssl x509 -inform PEM \ -in server.crt \ -text \ -out certdata.pem
get csr information
$ openssl req -noout -text -in server.csr
java ssl
to add cert into Java for Java services (i.e.: Jenkins)
reference:
// SSLPoke.java
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;
/** Establish a SSL connection to a host and port, writes a byte and
* prints the response. See
* http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
*/
public class SSLPoke {
public static void main(String[] args) {
if (args.length != 2) {
System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
System.exit(1);
}
try {
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));
SSLParameters sslparams = new SSLParameters();
sslparams.setEndpointIdentificationAlgorithm("HTTPS");
sslsocket.setSSLParameters(sslparams);
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();
// Write a test byte to get a reaction :)
out.write(1);
while (in.available() > 0) {
System.out.print(in.read());
}
System.out.println("Successfully connected");
} catch (Exception exception) {
exception.printStackTrace();
System.exit(1);
}
}
}
- extract cert from server:
$ openssl s_client -connect server:443
- negative test cert/keytool:
$ java SSLPoke server 443
- you should get something like
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- you should get something like
- import cert into default keytool:
$ keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts
positive test cert / keytool:
java SSLPoke server 443 // you should get this: // Successfully connected
import certificate into your local TrustStore
-Djavax.net.ssl.trustStore
will override the default truststore (cacerts). copy the default one and then add cert and set it via-Djavax.net.ssl.trustStore
so default CA won't be lost.$ keytool -import \ -trustcacerts \ -storepass changeit \ -file "./class 1 root ca.cer" \ -alias C1_ROOT_CA \ -keystore ./LocalTrustStore # use it in JAVA: $ java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT
list expired date for all in cacerts
$ keytool --list -v --keystore cacerts | grep "until:" | sed 's/^.*until: //'
InstallCert.java
reference:
compile first
$ javac InstallCert.java
- Access server, and retrieve certificate (accept default certificate 1)
$ java InstallCert [host]:[port]
- Extract certificate from created jssecacerts keystore
$ keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer
- Import certificate into system keystore
$ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer
verify remote cert
openssl & s_client
$ openssl s_client -showcerts -connect www.domain.com:443
or
$ openssl s_client -showcerts \ -starttls imap \ -connect www.domain.com:443 CONNECTED(00000005)
or using local client cert for debug purpose
$ openssl s_client -showcerts \ -cert cert.cer \ -key cert.key \ -connect www.domain.com:443
-
$ openssl s_client -connect www.domain.com:443 | openssl x509 -text -noout | grep -A 1 -i key
or use specify acceptable ciphers for ssl handshake
$ openssl s_client -showcerts \ -cipher DHE-RSA-AES256-SHA \ -connect www.domain.com:443
or get
enddate
only$ echo | openssl s_client \ -connect www.domain.com:443 2>/dev/null | openssl x509 -noout -enddate notAfter=Nov 28 23:59:59 2020 GMT
verify certs
$ echo | openssl s_client -showcerts \
-servername www.domain.com \
-connect www.domain.com:443 2>/dev/null |
openssl x509 -inform pem -noout -text
- get ssl only
$ echo | openssl s_client -showcerts \ -connect www.domain.com:443 2>/dev/null | sed -n '/BEGIN.*-/,/END.*-/p'
curl
$ curl -vvI https://www.domain.com
- print ssl only
$ curl --insecure \ -vvI https://www.domain.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
keytool
$ keytool -printcert -sslserver www.domain.com:443
nmap
$ nmap -p 443 --script ssl-cert www.domain.com [-v]