Linux посмотреть сертификаты ssl

List all available ssl ca certificates

That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?

8 Answers 8

It’s not SSL keys you want, it’s certificate authorities, and more precisely their certificates.

awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/;' < /etc/ssl/certs/ca-certificates.crt 

To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt (this works because openssl exits after reading an individual cert block, but awk relaunches openssl on the next print | cmd call).

Beware that sometimes, you get that error when SSL servers forget to provide the intermediate certificates.

Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.

Note that the pathname of the certificates bundle may differ depending on operating system. The directory holding the certs sub-directory is given by the command openssl version -d . The actual certificates file in that directory may additionally have a different name.

// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498

@F.Hauri, The command I gave should work in bash or any shell of the Bourne, rc, or fish families. If put on one line, it would work in any shell that I know, even csh, even the Unix V6 shell.

Читайте также:  Удалить docker linux mint

I agree, your solution is correct and efficient, I've just posted an alternative, using bash's arrays and some pretty output formatting, showing some usefull bash features

Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs .

  • Key files go into /etc/ssl/private
  • System-provided actual files are located at /usr/share/ca-certificates
  • Custom certificates go into /usr/local/share/ca-certificates

Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.

It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).

I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:

locate .pem | grep "\.pem$" | xargs -I<> openssl x509 -issuer -enddate -noout -in <> 

Note that openssl x509 format expects only a single cert in a pem file. Multiple certs if present need to follow some parsing given unix.stackexchange.com/questions/17744/…

A quick way to list all currently trusted CA certificates by openssl (with Ubuntu default directories):

find /etc/ssl/certs -type l -iname "*.0" -exec cat "<>" \; | awk -v cmd='openssl x509 -noout -subject -enddate 2>/dev/null | tr "\n" " " ; echo' '/BEGIN/;;/END/' | sed -r 's:^subject=::' | sort -u 
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep subject 

Most of the times, when examining ca certificates, you will want (and should) grep with fingerprint . You can also pass the output to less for searching/matching manually.
In general verifying the certificate fingerprint rather than just its name/issuer name/date e.t.c is very important.

# By piping to less you can manually search by hitting '/' cat /etc/ssl/certs/ca-certificates.crt | keytool -printcert 2>/dev/null | grep "^Certificate\[" -A11 | less 
Certificate[1]: Owner: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1 Issuer: C=ES, O=ACCV, OU=PKIACCV, CN=ACCVRAIZ1 Serial number: 5ec3b7a6437fa4e0 Valid from: Thu May 05 12:37:37 EEST 2011 until: Tue Dec 31 11:37:37 EET 2030 Certificate fingerprints: SHA1: 93:05:7A:88:15:C6:4F:CE:88:2F:FA:91:16:52:28:78:BC:53:64:17 SHA256: 9A:6E:C0:12:E1:A7:DA:9D:BE:34:19:4D:47:8A:D7:C0:DB:18:22:FB:07:1D:F1:29:81:49:6E:D1:04:38:41:13 Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 4096-bit RSA key Version: 3 -- Certificate[2]: Owner: OU=AC RAIZ FNMT-RCM, O=FNMT-RCM, C=ES Issuer: OU=AC RAIZ FNMT-RCM, O=FNMT-RCM, C=ES Serial number: 5d938d306736c8061d1ac754846907 Valid from: Wed Oct 29 17:59:56 EET 2008 until: Tue Jan 01 02:00:00 EET 2030 Certificate fingerprints: SHA1: EC:50:35:07:B2:15:C4:95:62:19:E2:A8:9A:5B:42:99:2C:4C:2C:20 SHA256: EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 4096-bit RSA key Version: 3 -- . . 

And since the above command prints also a sequential number for each certificate ( e.g. Certificate[3] ) you can then pick the actual certificate with:

# Let's say you want to pick certificate number 3 awk -v n=3 '/BEGIN CERTIFICATE/ && ++k == n, /END CERTIFICATE/' /etc/ssl/certs/ca-certificates.crt 
-----BEGIN CERTIFICATE----- MIICbjCCAfOgAwIBAgIQYvYybOXE42hcG2LdnC6dlTAKBggqhkjOPQQDAzB4MQsw CQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVzMRgw FgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJBSVogRk5NVC1S Q00gU0VSVklET1JFUyBTRUdVUk9TMB4XDTE4MTIyMDA5MzczM1oXDTQzMTIyMDA5 MzczM1oweDELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4wDAYDVQQL DAVDZXJlczEYMBYGA1UEYQwPVkFURVMtUTI4MjYwMDRKMSwwKgYDVQQDDCNBQyBS QUlaIEZOTVQtUkNNIFNFUlZJRE9SRVMgU0VHVVJPUzB2MBAGByqGSM49AgEGBSuB BAAiA2IABPa6V1PIyqvfNkpSIeSX0oNnnvBlUdBeh8dHsVnyV0ebAAKTRBdp20LH sbI6GA60XYyzZl2hNPk2LEnb80b8s0RpRBNm/dfF/a82Tc4DTQdxz69qBdKiQ1oK Um8BA06Oi6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD VR0OBBYEFAG5L++/EYZg8k/QQW6rcx/n0m5JMAoGCCqGSM49BAMDA2kAMGYCMQCu SuMrQMN0EfKVrRYj3k4MGuZdpSRea0R7/DjiT8ucRRcRTBQnJlU5dUoDzBOQn5IC MQD6SmxgiHPz7riYYqnOK8LZiqZwMR2vsJRM60/G49HzYqc8/5MuB1xJAWdpEgJy v+c= -----END CERTIFICATE----- 

Источник

Читайте также:  Source сервер на linux

How To Read The SSL Certificate Info From the CLI

This guide will show you how to read the SSL Certificate Information from a text-file on your server or from a remote server by connecting to it with the OpenSSL client.

Read the SSL Certificate information from a text-file at the CLI

If you have your certificate file available to you on the server, you can read the contents with the openssl client tools.

By default, your certificate will look like this.

$ cat certificate.crt -----BEGIN CERTIFICATE----- MIIEzTCCA7WgAwIBAgISESHAjlbjcoBHxBYXS12oY6VjMA0GCSqGSIb3DQEBCwUA . CzgXBhDR3themzPx4jwx2ckNFpNDK/6yQgrKaHTewAAj -----END CERTIFICATE-----

Which doesn’t really tell you much.

However, you can decrypt that certificate to a more readable form with the openssl tool.

$ openssl x509 -text -noout -in certificate.crt

It will display the SSL certificate output like expiration date, common name, issuer, …

Here’s what it looks like for my own certificate.

$ openssl x509 -text -noout -in certificate.crt Certificate: . Signature Algorithm: sha256WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 Validity Not Before: Dec 16 20:01:40 2014 GMT Not After : Dec 16 20:01:40 2017 GMT Subject: C=BE, OU=Domain Control Validated, CN=ma.ttias.be Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) .

The openssl tools are a must-have when working with certificates on your Linux server.

Read the SSL Certificate information from a remote server

You may want to monitor the validity of an SSL certificate from a remote server, without having the certificate.crt text file locally on your server? You can use the same openssl for that.

To connect to a remote host and retrieve the public key of the SSL certificate, use the following command.

$ openssl s_client -showcerts -connect ma.ttias.be:443

This will connect to the host ma.ttias.be on port 443 and show the certificate. It’s output looks like this.

$ openssl s_client -showcerts -connect ma.ttias.be:443 -----BEGIN CERTIFICATE----- MIIEzTCCA7WgAwIBAgISESHAjlbjcoBHxBYXS12oY6VjMA0GCSqGSIb3DQEBCwUA . CzgXBhDR3themzPx4jwx2ckNFpNDK/6yQgrKaHTewAAj -----END CERTIFICATE----- --- Server certificate subject=/C=BE/OU=Domain Control Validated/CN=ma.ttias.be issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 ---

There’s many more output, like the intermediate CA certificates, the raw certificates (encoded) and more information on the ciphers used to negotiate with the remote server.

Читайте также:  Статус всех сервисов linux

You can use it to find the expiration date, to test for SSL connection errors, …

Источник

Оцените статью
Adblock
detector