verification

verify local cert

openssl s_client

$ openssl s_client -state -msg -connect domain.com:443

debug mode

$ openssl s_client -state \
                   -debug \
                   -connect domain.com:443 \
                   -cert domain.com-server.crt \
                   -key domain.com-server.key \

curl

$ curl -vvv \
       [--cacert server.crt \]
       https://domain.com:443/artifactory
  • or

    $ curl -vvv \
           -i \
           -L \
           [--cacert server.crt \] \
           https://domain.com:443/artifactory

openssl

get crt information

  • ca.crt

    $ openssl verify ca.crt
    • or

      $ openssl x509 -noout -text -in ca.crt
  • server.crt

    $ openssl x509 -inform PEM \
                   -in server.crt \
                   -text \
                   -out certdata.pem

get csr information

$ openssl req -noout -text -in server.csr

java ssl

// SSLPoke.java
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
  public static void main(String[] args) {
    if (args.length != 2) {
      System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
      System.exit(1);
    }
    try {
      SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
      SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

      SSLParameters sslparams = new SSLParameters();
      sslparams.setEndpointIdentificationAlgorithm("HTTPS");
      sslsocket.setSSLParameters(sslparams);

      InputStream in = sslsocket.getInputStream();
      OutputStream out = sslsocket.getOutputStream();

      // Write a test byte to get a reaction :)
      out.write(1);

      while (in.available() > 0) {
        System.out.print(in.read());
      }
      System.out.println("Successfully connected");

    } catch (Exception exception) {
        exception.printStackTrace();
        System.exit(1);
    }
  }
}
  • extract cert from server:

    $ openssl s_client -connect server:443
  • negative test cert/keytool:

    $ java SSLPoke server 443
    • you should get something like

      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • import cert into default keytool:

    $ keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts
  • positive test cert / keytool:

    java SSLPoke server 443
    
    // you should get this:
    // Successfully connected
  • import certificate into your local TrustStore

    -Djavax.net.ssl.trustStore will override the default truststore (cacerts). copy the default one and then add cert and set it via -Djavax.net.ssl.trustStore so default CA won't be lost.

    $ keytool -import \
              -trustcacerts \
              -storepass changeit \
              -file "./class 1 root ca.cer" \
              -alias C1_ROOT_CA \
              -keystore ./LocalTrustStore
    
    # use it in JAVA:
    $ java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT
  • list expired date for all in cacerts

    $ keytool --list -v --keystore cacerts | grep "until:" | sed 's/^.*until: //'

reference:

compile first

$ javac InstallCert.java
  • Access server, and retrieve certificate (accept default certificate 1)

    $ java InstallCert [host]:[port]
  • Extract certificate from created jssecacerts keystore

    $ keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer
  • Import certificate into system keystore

    $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer

verify remote cert

openssl s_client

$ openssl s_client -showcerts -connect <domain.com>:<port>
  • or

    $ openssl s_client -showcerts \
                       -starttls imap \
                       -connect <domain.com>:<port>
    CONNECTED(00000005)
  • or using local client cert for debug purpose

    $ openssl s_client -showcerts \
                       -cert cert.cer \
                       -key cert.key \
                       -connect <domain.com>:<port>
  • or

     $ openssl s_client -connect <domain.com>:<port> |
       openssl x509 -text -noout |
       grep -A 1 -i key

- or use specify acceptable ciphers for ssl handshake
  ```bash
  $ openssl s_client -showcerts \
                     -cipher DHE-RSA-AES256-SHA \
                     -connect <domain.com>:<port>
  • or get enddate only

    $ echo | openssl s_client \
                     -connect <domain.com>:<port> 2>/dev/null |
             openssl x509 -noout -enddate
    notAfter=Nov 28 23:59:59 2020 GMT

verify certs

$ echo | openssl s_client -showcerts \
                          -servername www.domain.com \
                          -connect <domain.com>:<port> 2>/dev/null |
         openssl x509 -inform pem -noout -text
  • get ssl only

    $ echo | openssl s_client -showcerts \
                              -connect <domain.com>:<port> 2>/dev/null |
                              sed -n '/BEGIN.*-/,/END.*-/p'

curl

$ curl -vvI https://www.domain.com
  • print ssl only

    $ curl --insecure \
           -vvI https://www.domain.com 2>&1 |
      awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

keytool

$ keytool -printcert -sslserver <domain.com>:<port>

nmap

$ nmap -p 443 --script ssl-cert www.domain.com [-v]

Last updated