on-premise SSL/TLS Cert testing tool (100's of sites)



  • Has anyone found a good way to on-premise test SSL/TLS certs for many (100's) of sites on a regular basis?

    The usecase is websites setup both internally, and with VPN tunnels to many customers, as such no internet-facing presence.

    Things to check:

    • does the cert match the dns/url name
    • are all the intermediate certs accounted for
    • is it expired
    • is it signed by a trusted thirdparty site (commonly recognized by browsers)

    bonus for:

    • are there weak ciphers allowed


  • I don't know of any tools that do this pre-made. But a loop and a list of your cert files in a shell with openssl installed should do it. To verify the full chain, check out the openssl verify command. Something like this should work:

    openssl verify -CAfile root_cert.pem -untrusted intermediate_cert.pem user_cert.pem
    

    You can also add multiple intermediate certs as well. For each one just add another -untrusted flag for the cert.

    There are a few specific pre-made tools that will verify supported ciphers. Check out sslscan to test ciphers.

    Again, with a few loops in your preferred shell (bash for example), you can achieve a similar effect. Just make sure you have the openssl client installed and run something like:

    openssl s_client -showcerts -cipher  -connect :
    


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2