General
Cert store locations
System cert store
/etc/ssl/etc/ca-certificates
Network Security Services (NSS)
- Firefox wiki: Network Security Services (NSS)
- Used by i.e. chromium
Usage:
List certs:
certutil -d sql:$HOME/.pki/nssdb/ -L
Add cert:
certutil -d sql:$HOME/.pki/nssdb -A -t TC -n test-cert -i test.cert
Add multiple certs:
for n in *.crt; do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
Check certs
testssl.sh
command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws
- GitHub
- Can only check remote certs, not local ones from filesystem
Install:
sudo pacman -S testssl.sh
check_ssl_cert
- matteocorti/check_ssl_cert A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection
Install:
apt install --no-install-recommends -t testing monitoring-plugins-contrib
check remote ssl cert
export PATH="/usr/lib/nagios/plugins:$PATH"
check_ssl_cert -H mail.bitrigger.de -p 25 -P smtp
check_ssl_cert -H mail.bitrigger.de -p 587 -P smtp
check_ssl_cert -H mail.bitrigger.de -p 993 -P imaps --long-output fingerprint
check_ssl_cert --H example.org --n example.org \
--r /usr/share/ca-certificates/cacert.org/cacert.org.crt \
--altnames --w 30 --c 14
check_ssl_cert --rootcert ~/Leap/git/leap_testprovider/provider/files/ca/ca.crt \
--host couch1.rewire.co --cn couch1.rewire.co --altnames --p 6984
Check local cert
check_ssl_cert -H localhost --file /tmp/www.example.org.crt
Using prometheus output:
check_ssl_cert -H localhost --prometheus --file /tmp/www.example.org.crt
Show all certs in cert chain
openssl crl2pkcs7 -nocrl -certfile lets-encrypt-root.pem \
| openssl pkcs7 -print_certs -text -noout
openssl crl2pkcs7 -nocrl -certfile lets-encrypt-root.pem \
| openssl pkcs7 -print_certs -text -noout | grep -A4 Issuer:
SSL labs
https://github.com/ssllabs/ssllabs-scan
ssllabs-scan https://varac.net
CAs
Add custom CA
i.e. hackint root CA:
sudo wget https://www.hackint.org/crt/rootca.crt -O /usr/local/share/ca-certificates/hackint-rootca.crt
Check fp:
openssl x509 -noout -fingerprint -sha256 -in /usr/local/share/ca-certificates/hackint-rootca.crt
Update system CA certs:
sudo update-ca-certificates
Test:
gnutls-cli irc.hackint.org -p 6697 --print-cert < /dev/null
gnutls-cli irc.hackint.org -p 6697 --print-cert < /dev/null \
| certtool --verify-chain \
< /usr/local/share/ca-certificates/hackint-rootca.crt
Search CAs
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' \
< /etc/ssl/certs/ca-certificates.crt
fetch cert
ssl-recv-cert.sh www.example.org 443
Inspect cert
openssl x509 -text -in /etc/openvpn/cougar.leap.se/keys/ca.cr
Cert Validation with openssl
openssl x509 -in www.example.org.crt -noout -dates
Check validity via network connection:
openssl s_client -connect jabber.org:5222 -starttls xmpp
openssl s_client -servername bitmask.net -connect bitmask.net:443 -CApath /etc/ssl/certs
openssl s_client -connect mail.bitrigger.de:25 -starttls smtp
openssl s_client -connect hbci-pintan.gad.de:443 -CApath /etc/ssl/certs \
< /dev/null | grep Verify
Show cert:
true | openssl s_client -connect k8s-at-home.com:443 -showcerts
echo | openssl s_client -showcerts -servername google.com \
-connect charts.gabe565.com:443 2>/dev/null | openssl x509 -inform pem -noout -tex
Fingerprints
openssl x509 -noout -in cert.pem -fingerprint -startdate
jp2a
from the jp2a package
jp2a -d https://leap.se/git/leap_web
TLS smtp with openssl
openssl s_client -connect mail.riseup.net:25 -starttls smtp \
-CApath /etc/ssl/certs |grep Verify
Imap:
openssl s_client -connect bitrigger.de:993 -CApath /etc/ssl/certs |grep Verify
Convert p7b to pem/txt format
openssl pkcs7 -inform der -in IdenTrustCommercialRootCA.p7b -out IdenTrustCommercialRootCA.p7b.txt
openssl pkcs7 -print_certs -in IdenTrustCommercialRootCA.p7b.txt -out IdenTrustCommercialRootCA.pem
sslyze
Install:
pip install sslyze
Usage:
sslyze repo.vmware.com:443