Monday, August 10, 2009

Using OpenSSL tool to check SSL certificates for expiration dates

I am sure many of the Application or System administrators might have encoutered the issue of SSL certificates getting expired in the middle of the day causing application outages. The part of the reason is that the application server environments are getting complex day by day in terms of number of systems it's interacting over SSL like LDAP, WebServices, WebSever plugin, Siebel and even database connectivity in highly secured environments. It further complicates as these are disparate systems maintained by different groups in the enterprise having different expiration dates and different formats of keystore and truststore. So unless you have good enterprise wide policy of checking SSL expiration dates well ahead, there is a very good chance that you might run into application failures.

Being an Websphere Application Administrator, you will be the first point of contact when application goes down, even the SSL certs expired in one of the system that it's intreacting with like the LDAP wich is used for security authentication. In order to diagnose , identify and notify the repsective system owner, openSSL tool comes handy in such a way that you just need to know the hostname and the port where the services SSL port is listening on and you will be able to find the expiration dates without having to know the password for the keystore or the format or on how to access and view the keystore. The tool usually gets installed by default in unix systems and in windows you can download and install it.

Steps to check the SSL Certificate expiratio using openSSL tool:

1) openssl s_client -connect hostname:port > cert - this command will get the certificate and redirect it to the file.
2) openssl x509 -in cert -noout -enddate - show the expiration date of the downloaded certificate.

(e.g) To check the expiration for webserver host

$openssl s_client -connect > cert

Loading 'screen' into random state - done
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

$openssl x509 -in cert -noout -enddate

notAfter=Dec 8 13:00:22 2009 GMT

Note not only this works with webserver it will work with any service with SSL turned on.

You can also check other information about the certificates without redirecting to the file. Also you can check my other article for SSL Certificates expiration monitoring for WebSphere or any java based application server using java keystore as well.

$openssl s_client -connect

Loading 'screen' into random state - done
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
0 s:/C=US/ST=New York/L=Armonk/O=IBM/
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Server certificate
subject=/C=US/ST=New York/L=Armonk/O=IBM/
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
No client certificate CA names sent
SSL handshake has read 1688 bytes and written 322 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 00038028A696989D0973A59DEF091113DCCB885C585858584A80A84C0000298D
Master-Key: 6A694E8816CE422DB3AD280BEC469ACBDBE1EB7BF116C5E3C600A1A68CC71B7864AE39D8A59CC1F07263C1AB1664238D
Key-Arg : None
Start Time: 1249945678
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

No comments: