SSL 常用技巧
Check TLS/SSL certificate expiration date
from a website)
# NOTE: openssl requires at least 1.1.1
SITE_URL="www.cloudcoin.global"
SITE_SSL_PORT="443"
## note echo added ##
echo | openssl s_client -servername ${SITE_URL} -connect ${SITE_URL}:${SITE_SSL_PORT} \
| openssl x509 -noout -dates
# Alternaively
openssl s_client -connect ${SITE_URL}:${SITE_SSL_PORT} -servername ${SITE_URL} 2> /dev/null | openssl x509 -noout -dates
output
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudcoin.global
verify return:1
DONE
notBefore=Jun 5 00:00:00 2020 GMT
notAfter=Jun 5 12:00:00 2021 GMT
- s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
- -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. NOTE: openssl requires at lease 1.1.1
- -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to.
- x509 : Run certificate display and signing utility.
- -noout : Prevents output of the encoded version of the certificate.
- -dates : Prints out the start and expiry dates of a TLS or SSL certificate.
from a PEM encoded certificate file)
openssl x509 -enddate -noout -in /etc/nginx/ssl/www.cyberciti.biz.fullchain.cer
output
notAfter=Dec 29 23:48:42 2020 GMT
Shell script to alert sysadmin
#!/bin/bash
# Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance
# Author: Vivek Gite {https://www.cyberciti.biz/} under GPL v2.x+
# -------------------------------------------------------------------------------
PEM="/etc/nginx/ssl/letsencrypt/cyberciti.biz/cyberciti.biz.fullchain.cer"
# 7 days in seconds
DAYS="604800"
# Email settings
_sub="$PEM will expire within $DAYS (7 days)."
_from="system-account@your-dommain"
_to="sysadmin@your-domain"
_openssl="/usr/bin/openssl"
$_openssl x509 -enddate -noout -in "$PEM" -checkend "$DAYS" | grep -q 'Certificate will expire'
# Send email and push message to my mobile
if [ $? -eq 0 ]
then
echo "${_sub}"
mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]"
# See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
source ~/bin/cli_app.sh
push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
fi
Get the CA chainServer certificate from the website
NOTE: openssl requires at least 1.1.1
echo -n | openssl s_client -showcerts -servername some.web.site -connect some.web.site:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > some-web-site_CA.pemsite.cer
除了使用 openssl 以外,也可以用 Firefox 或 Chrome 手動下載
CAServer鏈憑證檔。
顯示憑證檔 *.crt, *.pem 的詳細資訊
憑證檔的內容是由兩字串 -----BEGIN CERTIFICATE----- 與 -----END CERTIFICATE----- 所包含的亂數組合,要解析其中的憑證資訊,可以使用 openssl
工具:
openssl x509 -text -noout -in my_CA.pem
Check the TLS version
nmap --script ssl-enum-ciphers -p 443 www.google.com
# -tls1 for TLSv1
# -tls1_1 for TLSv1.1
# -tls1_2 for TLSv1.2
openssl s_client -connect www.google.com:443 -tls1_3
Generate a CSR (Certificate Signing Request)
sudo apt install openssl #[On Debian/Ubuntu]
sudo yum install openssl #[On CentOS/RHEL]
sudo dnf install openssl #[On Fedora]
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
Show the Information of the certificate
openssl x509 -noout -text -in your.cer
# For the cert file that is generated by Windows
openssl x509 -noout -text -inform der -in win.cer