verify local cert

s_client

$ openssl s_client -state -msg -connect my.server.com:443

with cert debug

$ openssl s_client -state \
                   -debug \
                   -connect my.server.com:443 \
                   -cert my.server.com-server.crt \
                   -key my.server.com-server.key \

curl

$ curl -vvv \
       [--cacert server.crt \]
       https://my.server.com:443/artifactory
  • or
    $ curl -vvv \
           -i \
           -L \
           [--cacert server.crt \] \
           https://my.server.com:443/artifactory
    

openssl

get crt information

  • ca.crt

    $ openssl verify ca.crt
    
    • or
      $ openssl x509 -noout -text -in ca.crt
      
  • server.crt

    $ openssl x509 -inform PEM \
                   -in server.crt \
                   -text \
                   -out certdata.pem
    

get csr information

$ openssl req -noout -text -in server.csr

java ssl

SSLPoke.java
// SSLPoke.java
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
  public static void main(String[] args) {
    if (args.length != 2) {
      System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
      System.exit(1);
    }
    try {
      SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
      SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

      SSLParameters sslparams = new SSLParameters();
      sslparams.setEndpointIdentificationAlgorithm("HTTPS");
      sslsocket.setSSLParameters(sslparams);

      InputStream in = sslsocket.getInputStream();
      OutputStream out = sslsocket.getOutputStream();

      // Write a test byte to get a reaction :)
      out.write(1);

      while (in.available() > 0) {
        System.out.print(in.read());
      }
      System.out.println("Successfully connected");

    } catch (Exception exception) {
        exception.printStackTrace();
        System.exit(1);
    }
  }
}
  • extract cert from server:
    $ openssl s_client -connect server:443
    
  • negative test cert/keytool:
    $ java SSLPoke server 443
    
    • you should get something like
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      
  • import cert into default keytool:
    $ keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts
    
  • positive test cert / keytool:

    java SSLPoke server 443
    
    // you should get this:
    // Successfully connected
    
  • import certificate into your local TrustStore

    -Djavax.net.ssl.trustStore will override the default truststore (cacerts). copy the default one and then add cert and set it via -Djavax.net.ssl.trustStore so default CA won't be lost.

    $ keytool -import \
              -trustcacerts \
              -storepass changeit \
              -file "./class 1 root ca.cer" \
              -alias C1_ROOT_CA \
              -keystore ./LocalTrustStore
    
    # use it in JAVA:
    $ java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT
    
  • list expired date for all in cacerts

    $ keytool --list -v --keystore cacerts | grep "until:" | sed 's/^.*until: //'
    

InstallCert.java

reference:

compile first

$ javac InstallCert.java
  • Access server, and retrieve certificate (accept default certificate 1)
    $ java InstallCert [host]:[port]
    
  • Extract certificate from created jssecacerts keystore
    $ keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer
    
  • Import certificate into system keystore
    $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer
    

verify remote cert

openssl & s_client

$ openssl s_client -showcerts -connect www.domain.com:443
  • or

    $ openssl s_client -showcerts \
                       -starttls imap \
                       -connect www.domain.com:443
    CONNECTED(00000005)
    
  • or using local client cert for debug purpose

    $ openssl s_client -showcerts \
                       -cert cert.cer \
                       -key cert.key \
                       -connect www.domain.com:443
    
  • or

     $ openssl s_client -connect www.domain.com:443 |
       openssl x509 -text -noout |
       grep -A 1 -i key
    
  • or use specify acceptable ciphers for ssl handshake

    $ openssl s_client -showcerts \
                       -cipher DHE-RSA-AES256-SHA \
                       -connect www.domain.com:443
    
  • or get enddate only

    $ echo | openssl s_client \
                     -connect www.domain.com:443 2>/dev/null |
             openssl x509 -noout -enddate
    notAfter=Nov 28 23:59:59 2020 GMT
    

verify certs

$ echo | openssl s_client -showcerts \
                          -servername www.domain.com \
                          -connect www.domain.com:443 2>/dev/null |
         openssl x509 -inform pem -noout -text
  • get ssl only
    $ echo | openssl s_client -showcerts \
                              -connect www.domain.com:443 2>/dev/null |
                              sed -n '/BEGIN.*-/,/END.*-/p'
    

curl

$ curl -vvI https://www.domain.com
  • print ssl only
    $ curl --insecure \
           -vvI https://www.domain.com 2>&1 |
      awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
    

keytool

$ keytool -printcert -sslserver www.domain.com:443

nmap

$ nmap -p 443 --script ssl-cert www.domain.com [-v]
Copyright © marslo 2020-2023 all right reserved,powered by GitbookLast Modified: 2024-03-12 15:01:28

results matching ""

    No results matching ""