on-premise SSL/TLS Cert testing tool (100's of sites)
Analeea last edited by
Has anyone found a good way to on-premise test SSL/TLS certs for many (100's) of sites on a regular basis?
The usecase is websites setup both internally, and with VPN tunnels to many customers, as such no internet-facing presence.
Things to check:
- does the cert match the dns/url name
- are all the intermediate certs accounted for
- is it expired
- is it signed by a trusted thirdparty site (commonly recognized by browsers)
- are there weak ciphers allowed
I don't know of any tools that do this pre-made. But a loop and a list of your cert files in a shell with openssl installed should do it. To verify the full chain, check out the
openssl verifycommand. Something like this should work:
openssl verify -CAfile root_cert.pem -untrusted intermediate_cert.pem user_cert.pem
You can also add multiple intermediate certs as well. For each one just add another
-untrustedflag for the cert.
There are a few specific pre-made tools that will verify supported ciphers. Check out
sslscanto test ciphers.
Again, with a few loops in your preferred shell (bash for example), you can achieve a similar effect. Just make sure you have the openssl client installed and run something like:
openssl s_client -showcerts -cipher -connect :