Monday, August 10, 2009

Using OpenSSL tool to check SSL certificates for expiration dates

I am sure many of the Application or System administrators might have encoutered the issue of SSL certificates getting expired in the middle of the day causing application outages. The part of the reason is that the application server environments are getting complex day by day in terms of number of systems it's interacting over SSL like LDAP, WebServices, WebSever plugin, Siebel and even database connectivity in highly secured environments. It further complicates as these are disparate systems maintained by different groups in the enterprise having different expiration dates and different formats of keystore and truststore. So unless you have good enterprise wide policy of checking SSL expiration dates well ahead, there is a very good chance that you might run into application failures.

Being an Websphere Application Administrator, you will be the first point of contact when application goes down, even the SSL certs expired in one of the system that it's intreacting with like the LDAP wich is used for security authentication. In order to diagnose , identify and notify the repsective system owner, openSSL tool comes handy in such a way that you just need to know the hostname and the port where the services SSL port is listening on and you will be able to find the expiration dates without having to know the password for the keystore or the format or on how to access and view the keystore. The tool usually gets installed by default in unix systems and in windows you can download and install it.


Steps to check the SSL Certificate expiratio using openSSL tool:

1) openssl s_client -connect hostname:port > cert - this command will get the certificate and redirect it to the file.
2) openssl x509 -in cert -noout -enddate - show the expiration date of the downloaded certificate.


(e.g) To check the expiration for www14.software.ibm.com webserver host

$openssl s_client -connect www14.software.ibm.com:443 > cert

Loading 'screen' into random state - done
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

$openssl x509 -in cert -noout -enddate

notAfter=Dec 8 13:00:22 2009 GMT

Note not only this works with webserver it will work with any service with SSL turned on.

You can also check other information about the certificates without redirecting to the file. Also you can check my other article for SSL Certificates expiration monitoring for WebSphere or any java based application server using java keystore as well.

$openssl s_client -connect www14.software.ibm.com:443

Loading 'screen' into random state - done
CONNECTED(000006DC)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=New York/L=Armonk/O=IBM/CN=www14.software.ibm.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC1TCCAj6gAwIBAgIDCiE+MA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDgxMTA3MTMwMDIyWhcNMDkxMjA4MTMwMDIy
WjBgMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkFy
bW9uazEMMAoGA1UEChMDSUJNMR8wHQYDVQQDExZ3d3cxNC5zb2Z0d2FyZS5pYm0u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4tUCL4Ar8Sx8pNEbRb+XQ
7CMa1fgh1k2p0zucagZeX/C8e3DMefU5UH3pJKjYZoYte6PWB92jwtw673Rj0Oq6
oDBljHbdtYo0H58C6QqSkjMLFEKyNBHOAZ1SGws11H5WCz+xiOZ1c5Xq11Jjl/BM
nu6PKbfKUUrBwIdTfK/heQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNV
HQ4EFgQUuB0DNKiqXdoH87tWzq+71OYK7FUwOgYDVR0fBDMwMTAvoC2gK4YpaHR0
cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgw
FoAUSOZo+SvSspXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAExSdcrIMiwQqDOAelP4C6QiUeXgis2g
8ePc17lrt2NjRe1aRoSmMYq2U7Rc3203L3WFQ/SOFzfUSKWwBjx98IPFGOuKTMza
DYe1xknf+jjg8IwzhAtcg9Y06jabJBwxMXebSH2lazqFSD8ztBedBjLM7/zQ/Ttz
a7e4t98R0/fX
-----END CERTIFICATE-----
subject=/C=US/ST=New York/L=Armonk/O=IBM/CN=www14.software.ibm.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1688 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 00038028A696989D0973A59DEF091113DCCB885C585858584A80A84C0000298D
Session-ID-ctx:
Master-Key: 6A694E8816CE422DB3AD280BEC469ACBDBE1EB7BF116C5E3C600A1A68CC71B7864AE39D8A59CC1F07263C1AB1664238D
Key-Arg : None
Start Time: 1249945678
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

No comments: