Certificates - mwicat/personal GitHub Wiki

Digicert certificate checker

https://www.digicert.com/help/

List installed certificates

cat /etc/ca-certificates.conf

Install certificate

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
sudo update-ca-certificates

Generate certificate sign request

openssl req -new -newkey rsa:4096 -nodes -out yourdomain_com.csr -keyout yourdomain_com.key -subj "/CN=yourdomain.com"

Get info about certificate request

openssl req -in mycsr.csr -noout -text

Generate self-signed certificate

openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

serve certificate

cat server.key server.crt > server.pem
openssl genrsa -out server.key 1024
openssl req -new -key server.key -x509 -days 3653 -out server.crt

sudo socat openssl-listen:443,fork,reuseaddr,cert=server.pem -

Check remote website certificate

openssl s_client -showcerts -servername google.com -connect google.com:443 -CApath /etc/ssl/certs

test specific host:

curl --resolve yourhost.com:443:<host ip> https://yourhost.com/

Check local file certificate

openssl x509 -text -noout -in mycert.crt

Show website certificate details

nmap -p 443 --script ssl-cert gnupg.org

Show supported ciphers

nmap -p 443 --script ssl-enum-ciphers domain

nmap -p 443 --script ssl-enum-ciphers --script-args tls.servername=mydomain.net domain_or_ip

Test if server has SNI

openssl s_client -servername www.mnot.net -tlsextdebug -connect www.mnot.net:443 2>/dev/null | grep "server extension"

Get SSL certificate

import ssl
from OpenSSL import crypto

cert = ssl.get_server_certificate(('google.com', 443))
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
pubKey = x509.get_pubkey()
pubKeyString = crypto.dump_publickey(crypto.FILETYPE_PEM, pubKey)

subject = x509.get_subject()
cn = subject.CN

San certificate

multiple domains - pro = only one certificate needed, against = all domains must pass validation when needed

Verify deployed ciphers

https://testssl.sh/

docker run -v $(pwd):/results -it --rm drwetter/testssl.sh --htmlfile /results/www_google_com.html www.google.com

Certificates - mwicat/personal GitHub Wiki

Digicert certificate checker

List installed certificates

Install certificate

Generate certificate sign request

Get info about certificate request

Generate self-signed certificate

serve certificate

Check remote website certificate

Check local file certificate

Show website certificate details

Show supported ciphers

Test if server has SNI

Get SSL certificate

San certificate

Verify deployed ciphers

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️