Validity of SSL Certificates
OpenSSL provides several options for implementing SSL & TLS network protocols that you can use to securely communicate with a server. In this blog post, we’ll turn our attention to SSL certificates & the priceless information they contain.
An SSL certificate[1] contains a lot of information such as:
- Issuer
- Subject i.e. the owner
- Validity dates/period
- Fingerprints
- Certificate chain, e.t.c
openssl
is a powerful cryptography & SSL/TLS toolkit that is readily available on most linux distros. It provides several options such as s_client
[2] which allows you to connect to a remote host using SSL/TLS protocols, and x509
[3] which can be used to display certificate information, convert certificates to various forms, sign certificate requests like a ‘mini CA’ or even edit certificate trust settings. Using openssl
, we’ll obtain all the above information from an ssl certificate.
Show validity
show the expiry date of an ssl certificate. Both before(
-enddate
) and after(-startdate
) dates would give you the validity period of a certificate.$ echo | openssl s_client -connect site:port 2> /dev/null | openssl x509 -noout -dates
For example:
$ echo | openssl s_client -connect google.com:443 2> /dev/null | openssl x509 -noout -dates notBefore=Sep 10 14:03:47 2014 GMT notAfter=Dec 9 00:00:00 2014 GMT
Show issuer
show who issued the certificate i.e. Certificate Authority(CA):
$ echo | openssl s_client -connect site:port 2> /dev/null | openssl x509 -noout -issuer
For example:
$ echo | openssl s_client -connect google.com:443 2> /dev/null | openssl x509 -noout -issuer issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2
Show subject
show the owner/subject of the certificate:
$ echo | openssl s_client -connect site:port 2> /dev/null | openssl x509 -noout -subject
For example:
$ echo | openssl s_client -connect google.com:443 2> /dev/null | openssl x509 -noout -subject subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
All the above
You can combine
-dates
,-issuer
and-subject
options in one command:$ echo | openssl s_client -connect site:port 2> /dev/null | openssl x509 -noout -dates -issuer -subject
For example:
$ echo | openssl s_client -connect google.com:443 2> /dev/null | openssl x509 -noout -dates -issuer -subject notBefore=Sep 10 14:03:47 2014 GMT notAfter=Dec 9 00:00:00 2014 GMT issuer= /C=US/O=Google Inc/CN=Google Internet Authority G2 subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
Show certificate hash
show cert’s hash:
echo | openssl s_client -connect site:port 2> /dev/null | openssl x509 -noout -hash
for example:
$ echo | openssl s_client -connect google.com:443 2> /dev/null | openssl x509 -noout -hash a18bd28a
Show MD5 fingerprint
print the certificate fingerprint:
$ echo | openssl s_client -connect site:port 2> /dev/null | openssl x509 -noout -fingerprint
for example:
$ echo | openssl s_client -connect google.com:443 2> /dev/null | openssl x509 -noout -fingerprint SHA1 Fingerprint=8D:92:BB:69:54:E2:57:43:F3:4A:08:EC:35:96:0D:97:74:F5:66:6A
Show all information in an SSL certificate
Lets print all the information stored in a certificate:
echo | openssl s_client -connect site:port 2> /dev/null | openssl x509 -noout -text
for example
$ echo | openssl s_client -connect google.com:443 2> /dev/null | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 2725601525394095740 (0x25d348258060be7c) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2 Validity Not Before: Sep 10 14:03:47 2014 GMT Not After : Dec 9 00:00:00 2014 GMT Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:88:86:aa:db:2d:af:b3:7a:b6:20:99:79:b2:63: a4:1a:0b:9f:18:40:3d:0f:bb:d3:df:f0:1c:97:dd: 84:8a:bf:1c:a1:f4:ac:36:9e:2b:f3:64:6f:8f:4e: ca:5c:de:09:b4:31:5a:21:47:21:37:c8:86:c8:0a: ae:5d:90:43:13:5a:ad:18:f0:e8:fa:2c:a3:d0:d4: 9a:68:d6:41:dc:c8:d3:3c:27:2e:4b:30:25:a3:12: b4:36:b5:70:98:e2:f5:02:a2:dc:e8:bf:a2:06:02: 3e:bd:0a:71:69:52:04:37:d4:dc:af:64:11:af:ed: d5:8c:4f:75:17:5d:04:5f:a4:d6:d0:ad:6a:da:45: 23:d0:3e:14:3a:3a:96:a5:e4:3d:1c:52:45:55:a3: 43:21:5c:41:71:9d:17:20:19:c9:f3:2c:18:f2:57: 45:87:2b:c8:0d:86:02:aa:79:3d:15:ed:b0:1b:37: cf:5c:cd:4e:7c:75:50:63:d2:4b:8b:6b:d1:a4:e4: 23:90:d3:6f:c6:4d:b5:d2:3b:8b:3e:9c:eb:21:38: ef:21:bb:13:00:db:09:f4:9e:91:ef:96:1f:78:f4: b4:b6:b7:65:1c:90:12:75:8b:0d:12:90:c5:dd:55: b5:77:a0:96:27:0f:a2:88:b5:71:b7:f2:21:7b:9e: 97:07 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleadapis.com, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.gvt2.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android.com, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation.com Authority Information Access: CA Issuers - URI:http://pki.google.com/GIAG2.crt OCSP - URI:http://clients1.google.com/ocsp X509v3 Subject Key Identifier: A3:9E:4E:88:E8:51:57:6C:96:02:04:AD:C7:C8:9C:06:7C:BF:BF:41 X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.11129.2.5.1 X509v3 CRL Distribution Points: Full Name: URI:http://pki.google.com/GIAG2.crl Signature Algorithm: sha1WithRSAEncryption 39:25:0e:01:8c:a3:5e:14:37:82:c4:a3:dc:d4:16:d7:c3:6b: fd:e9:1c:20:93:6a:f6:91:47:8b:5c:15:73:3a:a1:71:27:68: 76:56:b7:02:eb:fc:e7:9d:3c:8c:5a:69:a4:0b:75:ad:79:7e: 0e:34:35:68:8f:7b:51:45:69:99:90:a2:f7:33:0c:54:37:d4: 04:e9:4c:d9:d5:96:cb:b7:00:56:61:ec:27:ab:4a:21:54:15: 10:f3:cc:6b:90:20:cd:ec:70:3a:f3:bc:fc:a0:be:c6:79:9a: f9:3c:1f:e0:cc:25:fa:ab:a2:8f:2f:06:36:26:16:c4:c4:41: 64:cd:e3:c7:8a:7c:f6:d6:f0:25:bf:a7:94:76:66:4f:b0:56: 5c:5f:c5:c9:86:4d:9b:49:07:8f:e3:4b:91:5c:c4:0d:e5:b3: 6c:4d:1e:63:1f:94:4b:10:3c:df:8f:9c:d8:7f:19:56:6a:a7: b4:af:c1:69:81:ee:2f:f3:b7:fc:82:36:ce:72:2d:97:6f:9a: 8f:d3:a7:6b:80:82:8b:59:ce:83:81:26:02:76:96:68:92:ac: 36:93:01:4c:a4:55:91:89:65:6e:fc:b2:6d:90:c2:b3:63:75: 8e:1e:ad:45:8a:d7:98:85:e2:b2:bf:c1:ca:e8:83:e8:98:82: be:3b:ba:19
Conclusion
As a sysadmin, or an owner of a certificate, it’s a good practice to check the expiry date on your certificate(s) once every 2weeks so that you can plan in advance & renew them before they expire. This helps you avoid situations whereby your clients can’t securely connect to your servers because of an expired certificate.
For me, a simple cron job does the trick, every 2weeks it checks the validity of my certificates & emails me the results.
0 9 */14 * 1 echo | openssl s_client -connect $SITE:$PORTt 2> /dev/null | openssl x509 -noout -dates -issuer -subject| mail -s "Certificate Validity for $SITE" $YOUR_EMAIL