# verification * [verify local cert](#verify-local-cert) * [`openssl s_client`](#openssl-s_client) * [debug mode](#debug-mode) * [curl](#curl) * [openssl](#openssl) * [get crt information](#get-crt-information) * [get csr information](#get-csr-information) * [java ssl](#java-ssl) * [InstallCert.java](#installcertjava) * [verify remote cert](#verify-remote-cert) * [openssl s\_client](#openssl-s_client) * [verify certs](#verify-certs) * [curl](#curl-1) * [keytool](#keytool) * [nmap](#nmap) {% hint style="info" %} > check in [kubernetes certifactes as well](https://github.com/marslo/ibook/blob/marslo/docs/virtualization/kubernetes/certificates.html) > {% endhint %} ## verify local cert ### `openssl s_client` ```bash $ openssl s_client -state -msg -connect domain.com:443 ``` #### debug mode ```bash $ openssl s_client -state \ -debug \ -connect domain.com:443 \ -cert domain.com-server.crt \ -key domain.com-server.key \ ``` ### curl ```bash $ curl -vvv \ [--cacert server.crt \] https://domain.com:443/artifactory ``` * or ```bash $ curl -vvv \ -i \ -L \ [--cacert server.crt \] \ https://domain.com:443/artifactory ``` ### openssl #### get crt information * ca.crt ```bash $ openssl verify ca.crt ``` * or ```bash $ openssl x509 -noout -text -in ca.crt ``` * server.crt ```bash $ openssl x509 -inform PEM \ -in server.crt \ -text \ -out certdata.pem ``` #### get csr information ```bash $ openssl req -noout -text -in server.csr ``` ### java ssl {% hint style="info" %} to add cert into Java for Java services (i.e.: Jenkins) > reference: > > * [Unable to Connect to SSL Services Due to 'PKIX Path Building Failed' Error](https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html) > * [\* SSLPoke.class](https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class) > * [4ndrej/SSLPoke.java](https://gist.github.com/4ndrej/4547029) > * [bric3/SSLPoke.java](https://gist.github.com/bric3/4ac8d5184fdc80c869c70444e591d3de) > * [klasen/sslpoke](https://github.com/klasen/sslpoke) > * [Test of java SSL / keystore / cert setup](https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java) > * [Code Examples](https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CodeExamples) > * [SSLSocketClient.java](https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/samples/sockets/client/SSLSocketClient.java) > {% endhint %} ```java // SSLPoke.java import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import java.io.*; /** Establish a SSL connection to a host and port, writes a byte and * prints the response. See * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services */ public class SSLPoke { public static void main(String[] args) { if (args.length != 2) { System.out.println("Usage: "+SSLPoke.class.getName()+" "); System.exit(1); } try { SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1])); SSLParameters sslparams = new SSLParameters(); sslparams.setEndpointIdentificationAlgorithm("HTTPS"); sslsocket.setSSLParameters(sslparams); InputStream in = sslsocket.getInputStream(); OutputStream out = sslsocket.getOutputStream(); // Write a test byte to get a reaction :) out.write(1); while (in.available() > 0) { System.out.print(in.read()); } System.out.println("Successfully connected"); } catch (Exception exception) { exception.printStackTrace(); System.exit(1); } } } ``` * extract cert from server: ```bash $ openssl s_client -connect server.domain.com:443 ``` * negative test cert/keytool: ```bash $ java SSLPoke server.domain.com 443 ``` * you should get something like ```bash javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ``` * import cert into default keytool: ```bash $ keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts ``` * positive test cert / keytool: ```bash $ java SSLPoke server 443 # you should get this: # Successfully connected ``` * import certificate into your local TrustStore > `-Djavax.net.ssl.trustStore` will override the default truststore (cacerts). copy the default one and then add cert and set it via `-Djavax.net.ssl.trustStore` so default CA won't be lost. ```bash $ keytool -import \ -trustcacerts \ -storepass changeit \ -file "./class 1 root ca.cer" \ -alias C1_ROOT_CA \ -keystore ./LocalTrustStore # use it in JAVA: $ java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT ``` * list expired date for all in cacerts ```bash $ keytool --list -v --keystore cacerts | grep "until:" | sed 's/^.*until: //' ``` #### [InstallCert.java](https://github.com/escline/InstallCert) > \[!NOTE|label:reference:] > > * [unable to find valid certification path to requested target](https://blogs.oracle.com/gc/unable-to-find-valid-certification-path-to-requested-target) ```bash # compile $ javac InstallCert.java ``` * access server, and retrieve certificate (accept default certificate 1) ```bash $ java InstallCert [host]:[port] ``` * extract certificate from created jssecacerts keystore ```bash $ keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer ``` * import certificate into system keystore ```bash $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer ``` ## verify remote cert {% hint style="info" %} > reference: > > * [Checking A Remote Certificate Chain With OpenSSL](https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/) > * [How to extract SSL data from any website](https://securitytrails.com/blog/extract-ssl-data) > {% endhint %} ### openssl s\_client ```bash $ openssl s_client -showcerts -connect : ``` * or ```bash $ openssl s_client -showcerts \ -starttls imap \ -connect : CONNECTED(00000005) ``` * or using local client cert for debug purpose ```bash $ openssl s_client -showcerts \ -cert cert.cer \ -key cert.key \ -connect : ``` * [or](https://stackoverflow.com/a/25274959/2940319) ```bash $ openssl s_client -connect : | openssl x509 -text -noout | grep -A 1 -i key ``` ```` - or use specify acceptable ciphers for ssl handshake ```bash $ openssl s_client -showcerts \ -cipher DHE-RSA-AES256-SHA \ -connect : ```` * or get `enddate` only ```bash $ echo | openssl s_client \ -connect : 2>/dev/null | openssl x509 -noout -enddate notAfter=Nov 28 23:59:59 2020 GMT ``` #### verify certs ```bash $ echo | openssl s_client -showcerts \ -servername www.domain.com \ -connect : 2>/dev/null | openssl x509 -inform pem -noout -text ``` * get ssl only ```bash $ echo | openssl s_client -showcerts \ -connect : 2>/dev/null | sed -n '/BEGIN.*-/,/END.*-/p' ``` ### curl ```bash $ curl -vvI https://www.domain.com ``` * print ssl only ```bash $ curl --insecure \ -vvI https://www.domain.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }' ``` ### keytool ```bash $ keytool -printcert -sslserver : # or $ keytool -printcert -rfc -sslserver : ``` ### nmap ```bash $ nmap -p 443 --script ssl-cert www.domain.com [-v] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://imarslo.gitbook.io/handbook/good/ssl/verification.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.