verification

check in kubernetes certifactes as well

verify local cert

openssl s_client

$ openssl s_client -state -msg -connect domain.com:443

debug mode

$ openssl s_client -state \
                   -debug \
                   -connect domain.com:443 \
                   -cert domain.com-server.crt \
                   -key domain.com-server.key \

curl

$ curl -vvv \
       [--cacert server.crt \]
       https://domain.com:443/artifactory

  • or

    $ curl -vvv \
       -i \
       -L \
       [--cacert server.crt \] \
       https://domain.com:443/artifactory

openssl

get crt information

  • ca.crt

    $ openssl verify ca.crt

    • or

      $ openssl x509 -noout -text -in ca.crt

  • server.crt

    $ openssl x509 -inform PEM \
               -in server.crt \
               -text \
               -out certdata.pem

get csr information

$ openssl req -noout -text -in server.csr

java ssl

to add cert into Java for Java services (i.e.: Jenkins)

reference:

// SSLPoke.java
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
  public static void main(String[] args) {
    if (args.length != 2) {
      System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
      System.exit(1);
    }
    try {
      SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
      SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

      SSLParameters sslparams = new SSLParameters();
      sslparams.setEndpointIdentificationAlgorithm("HTTPS");
      sslsocket.setSSLParameters(sslparams);

      InputStream in = sslsocket.getInputStream();
      OutputStream out = sslsocket.getOutputStream();

      // Write a test byte to get a reaction :)
      out.write(1);

      while (in.available() > 0) {
        System.out.print(in.read());
      }
      System.out.println("Successfully connected");

    } catch (Exception exception) {
        exception.printStackTrace();
        System.exit(1);
    }
  }
}

  • extract cert from server:

    $ openssl s_client -connect server:443

  • negative test cert/keytool:

    $ java SSLPoke server 443

    • you should get something like

      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  • import cert into default keytool:

    $ keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts

  • positive test cert / keytool:

    java SSLPoke server 443

// you should get this:
// Successfully connected

  • import certificate into your local TrustStore

    -Djavax.net.ssl.trustStore will override the default truststore (cacerts). copy the default one and then add cert and set it via -Djavax.net.ssl.trustStore so default CA won't be lost.

    $ keytool -import \
          -trustcacerts \
          -storepass changeit \
          -file "./class 1 root ca.cer" \
          -alias C1_ROOT_CA \
          -keystore ./LocalTrustStore

# use it in JAVA:
$ java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT

  • list expired date for all in cacerts

    $ keytool --list -v --keystore cacerts | grep "until:" | sed 's/^.*until: //'

InstallCert.java

reference:

compile first

$ javac InstallCert.java

  • Access server, and retrieve certificate (accept default certificate 1)

    $ java InstallCert [host]:[port]

  • Extract certificate from created jssecacerts keystore

    $ keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer

  • Import certificate into system keystore

    $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer

verify remote cert

reference:

openssl s_client

$ openssl s_client -showcerts -connect <domain.com>:<port>

  • or

    $ openssl s_client -showcerts \
                   -starttls imap \
                   -connect <domain.com>:<port>
CONNECTED(00000005)

  • or using local client cert for debug purpose

    $ openssl s_client -showcerts \
                   -cert cert.cer \
                   -key cert.key \
                   -connect <domain.com>:<port>

  • or

     $ openssl s_client -connect <domain.com>:<port> |
   openssl x509 -text -noout |
   grep -A 1 -i key

- or use specify acceptable ciphers for ssl handshake
  ```bash
  $ openssl s_client -showcerts \
                     -cipher DHE-RSA-AES256-SHA \
                     -connect <domain.com>:<port>

  • or get enddate only

    $ echo | openssl s_client \
                 -connect <domain.com>:<port> 2>/dev/null |
         openssl x509 -noout -enddate
notAfter=Nov 28 23:59:59 2020 GMT

verify certs

$ echo | openssl s_client -showcerts \
                          -servername www.domain.com \
                          -connect <domain.com>:<port> 2>/dev/null |
         openssl x509 -inform pem -noout -text

  • get ssl only

    $ echo | openssl s_client -showcerts \
                          -connect <domain.com>:<port> 2>/dev/null |
                          sed -n '/BEGIN.*-/,/END.*-/p'

curl

$ curl -vvI https://www.domain.com

  • print ssl only

    $ curl --insecure \
       -vvI https://www.domain.com 2>&1 |
  awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

keytool

$ keytool -printcert -sslserver <domain.com>:<port>

nmap

$ nmap -p 443 --script ssl-cert www.domain.com [-v]
PreviouskeystoreNextserver

Last updated