verification

check in kubernetes certifactes as well

verify local cert

`openssl s_client`

$ openssl s_client -state -msg -connect domain.com:443

debug mode

$ openssl s_client -state \
                   -debug \
                   -connect domain.com:443 \
                   -cert domain.com-server.crt \
                   -key domain.com-server.key \

curl

$ curl -vvv \
       [--cacert server.crt \]
       https://domain.com:443/artifactory

$ curl -vvv \
       -i \
       -L \
       [--cacert server.crt \] \
       https://domain.com:443/artifactory

openssl

get crt information

ca.crt

$ openssl verify ca.crt

or
```
$ openssl x509 -noout -text -in ca.crt
```

server.crt

$ openssl x509 -inform PEM \
               -in server.crt \
               -text \
               -out certdata.pem

get csr information

$ openssl req -noout -text -in server.csr

java ssl

to add cert into Java for Java services (i.e.: Jenkins)

reference:
Unable to Connect to SSL Services Due to 'PKIX Path Building Failed' Error
* SSLPoke.class
4ndrej/SSLPoke.java
bric3/SSLPoke.java
klasen/sslpoke
Test of java SSL / keystore / cert setup
Code Examples
SSLSocketClient.java

// SSLPoke.java
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
  public static void main(String[] args) {
    if (args.length != 2) {
      System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
      System.exit(1);
    }
    try {
      SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
      SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

      SSLParameters sslparams = new SSLParameters();
      sslparams.setEndpointIdentificationAlgorithm("HTTPS");
      sslsocket.setSSLParameters(sslparams);

      InputStream in = sslsocket.getInputStream();
      OutputStream out = sslsocket.getOutputStream();

      // Write a test byte to get a reaction :)
      out.write(1);

      while (in.available() > 0) {
        System.out.print(in.read());
      }
      System.out.println("Successfully connected");

    } catch (Exception exception) {
        exception.printStackTrace();
        System.exit(1);
    }
  }
}

extract cert from server:

$ openssl s_client -connect server.domain.com:443

negative test cert/keytool:

$ java SSLPoke server.domain.com 443

you should get something like

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

import cert into default keytool:

$ keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts

positive test cert / keytool:

$ java SSLPoke server 443

# you should get this:
# Successfully connected

import certificate into your local TrustStore

-Djavax.net.ssl.trustStore will override the default truststore (cacerts). copy the default one and then add cert and set it via -Djavax.net.ssl.trustStore so default CA won't be lost.

$ keytool -import \
          -trustcacerts \
          -storepass changeit \
          -file "./class 1 root ca.cer" \
          -alias C1_ROOT_CA \
          -keystore ./LocalTrustStore

# use it in JAVA:
$ java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT

list expired date for all in cacerts

$ keytool --list -v --keystore cacerts | grep "until:" | sed 's/^.*until: //'

InstallCert.java

[!NOTE|label:reference:]
unable to find valid certification path to requested target

# compile
$ javac InstallCert.java

access server, and retrieve certificate (accept default certificate 1)
```
$ java InstallCert [host]:[port]
```

extract certificate from created jssecacerts keystore

$ keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer

import certificate into system keystore

$ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer

verify remote cert

reference:
Checking A Remote Certificate Chain With OpenSSL
How to extract SSL data from any website

openssl s_client

$ openssl s_client -showcerts -connect <domain.com>:<port>

$ openssl s_client -showcerts \
                   -starttls imap \
                   -connect <domain.com>:<port>
CONNECTED(00000005)

or using local client cert for debug purpose

$ openssl s_client -showcerts \
                   -cert cert.cer \
                   -key cert.key \
                   -connect <domain.com>:<port>

 $ openssl s_client -connect <domain.com>:<port> |
   openssl x509 -text -noout |
   grep -A 1 -i key


- or use specify acceptable ciphers for ssl handshake
  ```bash
  $ openssl s_client -showcerts \
                     -cipher DHE-RSA-AES256-SHA \
                     -connect <domain.com>:<port>

or get enddate only

$ echo | openssl s_client \
                 -connect <domain.com>:<port> 2>/dev/null |
         openssl x509 -noout -enddate
notAfter=Nov 28 23:59:59 2020 GMT

verify certs

$ echo | openssl s_client -showcerts \
                          -servername www.domain.com \
                          -connect <domain.com>:<port> 2>/dev/null |
         openssl x509 -inform pem -noout -text

get ssl only

$ echo | openssl s_client -showcerts \
                          -connect <domain.com>:<port> 2>/dev/null |
                          sed -n '/BEGIN.*-/,/END.*-/p'

curl

$ curl -vvI https://www.domain.com

print ssl only

$ curl --insecure \
       -vvI https://www.domain.com 2>&1 |
  awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

keytool

$ keytool -printcert -sslserver <domain.com>:<port>

# or
$ keytool -printcert -rfc -sslserver <domain.com>:<port>

nmap

$ nmap -p 443 --script ssl-cert www.domain.com [-v]

Previouskeystore Nextserver

Last updated 9 months ago

Was this helpful?