5

Consider this:

$ nmap security.stackexchange.com -oX - -p 443 --script=ssl-cert | grep 'pem'
<elem key="pem">-&#45;&#45;&#45;&#45;BEGIN CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;MIIGsjCCBZqgAwIBAgIQCTaYT9gNC0RFj3x3zaPxZDANBgkqhkiG9w0BAQsFADBw&#xa;MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3&#xa;d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz&#xa;dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA1MjEwMDAwMDBaFw0xOTA4MTQxMjAwMDBa&#xa;MGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UEBxMITmV3IFlvcmsx&#xa;HTAbBgNVBAoTFFN0YWNrIEV4Y2hhbmdlLCBJbmMuMRwwGgYDVQQDDBMqLnN0YWNr&#xa;ZXhjaGFuZ2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0YD&#xa;zscT5i6T2FaRsTGNCiLB8OtPXu8N9iAyuaROh/nS0kRRsN8wUMk1TmgZhPuYM6oF&#xa;S377V8W2LqhLBMrPXi7lnhvKt2DFWCyw38RrDbEsM5dzVGErmhux3F0QqcTI92zj&#xa;VW61DmE7NSQLiR4yonVpTpdAaO4jSPJxn8d+4p1sIlU2JGSk8LZSWFqaROc7KtXt&#xa;lWP4HahNRZtdwvL5dIEGGNWx+7B+XVAfY1ygc/UisldkA+a3D2+3WAtXgFZRZZ/1&#xa;CWFjKWJNMAI6ZBAtlbgSNgRYxdcdleIhPLCzkzWysfltfiBmsmgz6VCoFR4KgJo8&#xa;Gd3MeTWojBthM10SLwIDAQABo4IDTDCCA0gwHwYDVR0jBBgwFoAUUWj/kK8CB3U8&#xa;zNllZGKiErhZcjswHQYDVR0OBBYEFFrBQmPCYhOznZSEqjIeF8tto4Z7MIIBfAYD&#xa;VR0RBIIBczCCAW+CEyouc3RhY2tleGNoYW5nZS5jb22CEXN0YWNrZXhjaGFuZ2Uu&#xa;Y29tghFzdGFja292ZXJmbG93LmNvbYITKi5zdGFja292ZXJmbG93LmNvbYINc3Rh&#xa;Y2thdXRoLmNvbYILc3N0YXRpYy5uZXSCDSouc3N0YXRpYy5uZXSCD3NlcnZlcmZh&#xa;dWx0LmNvbYIRKi5zZXJ2ZXJmYXVsdC5jb22CDXN1cGVydXNlci5jb22CDyouc3Vw&#xa;ZXJ1c2VyLmNvbYINc3RhY2thcHBzLmNvbYIUb3BlbmlkLnN0YWNrYXV0aC5jb22C&#xa;GCoubWV0YS5zdGFja2V4Y2hhbmdlLmNvbYIWbWV0YS5zdGFja2V4Y2hhbmdlLmNv&#xa;bYIQbWF0aG92ZXJmbG93Lm5ldIISKi5tYXRob3ZlcmZsb3cubmV0gg1hc2t1YnVu&#xa;dHUuY29tgg8qLmFza3VidW50dS5jb22CEXN0YWNrc25pcHBldHMubmV0MA4GA1Ud&#xa;DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0f&#xa;BG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2Vy&#xa;dmVyLWc1LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTIt&#xa;aGEtc2VydmVyLWc1LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsG&#xa;AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjCB&#xa;gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy&#xa;dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E&#xa;aWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQC&#xa;MAAwDQYJKoZIhvcNAQELBQADggEBABC0Q7CJwKDVFD97KCgMudMo1eNzfxjZRZjs&#xa;t9C+B7WXr+kJmsKFRwK4wZrWb8rBb0d4M+vQfTGTT7S0JIp0+4WLmkQ7i+0YA90l&#xa;eAhS0KuC4p8M+KzMLovgdc/B9/bQVGuQNuLfiZOCYvM25xlMSS/awoWZh5EJBEyE&#xa;vIgJeK+0LfEOMqPNmrelfKVQklXkbbsCREfeDdX1jIwYeXXy8GGfJZSnnbQd14iU&#xa;6DAI/9WBxyokj5Pp53esXahLyBGTL8jrfy5E4P4SYTF/WJsUK283SrS3Mv9ftmho&#xa;4Sq2zWnDrQ6li2do0YHJIqkJZKrjTevgpvnyFLtvvd40pU5D/PU=&#xa;-&#45;&#45;&#45;&#45;END CERTIFICATE-&#45;&#45;&#45;&#45;&#xa;</elem>

Is there a command-line tool (or a library) that would let me easily tell if this certificate is trusted and which domain(s) it is valid for?

unor
  • 1,769
  • 1
  • 19
  • 39
d33tah
  • 6,514
  • 8
  • 39
  • 61
  • I think you can use `certutil` avialable in windows. Sample paste here https://ghostbin.com/paste/kza2z – Sravan Aug 18 '16 at 17:53
  • Based on the answers, I created a small one-liner: `nmap -n security.stackexchange.com -oX - -p 443 --script=ssl-cert | grep 'pem' | cut -d'>' -f2 | cut -d'<' -f1 | xmlstarlet unesc | openssl x509 -in - -text | rg -A1 'Subject: CN|Subject Alternative Name'` – d33tah Nov 29 '21 at 21:17

2 Answers2

14

First you need to decode all the HTML/XML entities like &#45; etc. Once you've done this you get something like this:

-----BEGIN CERTIFICATE-----
MIIGsjCCBZqgAwIBAgIQCTaYT9gNC0RFj3x3zaPxZDANBgkqhkiG9w0BAQsFADBw
...
-----END CERTIFICATE-----

which domain(s) it is valid for?

Then you could use openssl x509 -in yourfile -text which gives you the details of the certificate including the domains this certificate is for:

...
Subject: C=US, ST=NY, L=New York, O=Stack Exchange, Inc., CN=*.stackexchange.com
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA

...
X509v3 Subject Alternative Name: 
  DNS:*.stackexchange.com, DNS:stackexchange.com, DNS:stackoverflow.com, 
  DNS:*.stackoverflow.com, DNS:stackauth.com, DNS:sstatic.net, 
  DNS:*.sstatic.net, DNS:serverfault.com, DNS:*.serverfault.com,      
  DNS:superuser.com, DNS:*.superuser.com, DNS:stackapps.com, 
  DNS:openid.stackauth.com, DNS:*.meta.stackexchange.com, 
  DNS:meta.stackexchange.com, DNS:mathoverflow.net, DNS:*.mathoverflow.net, 
  DNS:askubuntu.com, DNS:*.askubuntu.com, DNS:stacksnippets.net

if this certificate is trusted

To check if this certificate is trusted you need to have the trust store you want to check against. And you probably need to get any intermediate certificates. Once you have this see the detailed description in Use openssl to individually verify components of a certificate chain.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Thanks for the answer! I'm not sure I understand the part about intermediate certificates. Will the contents of the `ca-certificates` package do? Once I have them, what would the command look like? I'd like to build a script that tells me whether this certificate can be trusted and if it can, for which domains. – d33tah Aug 18 '16 at 18:58
  • 1
    @d33tah: `ca-certificates` contains only the trusted root CA certs. A server certificate is usually not signed by such a root CA directly but by an intermediate CA which then is signed by the root CA (or even more intermediates). You need these "chain certificates" to build the trust chain to the root CA. These chain certificates are usually send within the TLS handshake by the server so that the browser has these for verification. See http://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity – Steffen Ullrich Aug 18 '16 at 19:29
1

Steffen Ullrich has already answered for the case of parsing the output of nmap security.stackexchange.com -oX - -p 443 --script=ssl-cert

However, if you don't need to use nmap, I'd recommend simply using openssl:

openssl s_client -connect security.stackexchange.com:443

The output will contain the pem certificate in plain text, and Verify return code: 0 (ok) meaning it is trusted (other options would be selfsigned, etc.) If it doesn't find your trust store automatically you will need to provide -CApath or -CAfile.

Thus, we can use a command like:

openssl s_client -connect security.stackexchange.com:443 < /dev/null | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/Verify return code:/p' > certificate.txt

Which we can then inspect:

openssl x509 -in certificate.txt -noout -text

In this case the interesting bits are:

Subject: C=US, ST=NY, L=New York, O=Stack Exchange, Inc., CN=*.stackexchange.com

X509v3 Subject Alternative Name: DNS:.stackexchange.com, DNS:stackexchange.com, DNS:stackoverflow.com, DNS:.stackoverflow.com, DNS:stackauth.com, DNS:sstatic.net, DNS:.sstatic.net, DNS:serverfault.com, DNS:.serverfault.com, DNS:superuser.com, DNS:.superuser.com, DNS:stackapps.com, DNS:openid.stackauth.com, DNS:.meta.stackexchange.com, DNS:meta.stackexchange.com, DNS:mathoverflow.net, DNS:.mathoverflow.net, DNS:askubuntu.com, DNS:.askubuntu.com, DNS:stacksnippets.net

For the wildcard entries we know that it is valid for any subdomain of eg. .stackexchange.com but not the actual domains used by the company.

If you want to store the intermediate certificates, instead of just the server cert, you can add -showcerts.

Ángel
  • 18,188
  • 3
  • 26
  • 63