Validation of SSL certificates for revocation
Nowadays, one of the most important aspects of secure information transmission is encryption. Transmission data from client to server is encrypted using an SSL certificate. A certificate is a public key certified by a certification authority.
All SSL certificates are usually issued for a limited period, after which they expire and must be reissued. However, there are times when a certificate can be revoked before it expires. There are quite a few reasons for revoking an SSL certificate, the most common of which is that the private key has been lost or compromised, company registration data has changed, etc.
There are 2 alternative ways to check if the SSL certificate is in revocation lists:
Consider both of these methods in more detail using the Ubuntu console. And as an example, let's check the revocation certificate for habr.com domain.
')
Download the certificate of the domain of interest to us:
Thank you legioner for the hint to add the -servername parameter - it is necessary for the correct selection of the certificate if there are several of them (SNI) on the same IP address.
See the details of the certificate:
Here we are interested in the “Full Name” item in the “X509v3 CRL Distribution Points” section.
Download this link CLR list:
We tear out the serial number of the certificate:
See if this number is in the CRL list:
If nothing is found, then the certificate is not revoked.
Let's display on the screen the certificate of the domain we are interested in and the chain of intermediate (Intermediate) certificates:
Save the domain certificate and intermediate certificate into files (code between the lines ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----):
Define the OCSP server:
Send a request to the OCSP server to check the certificate for revocation:
If everything is correct, the OCSP server should return the certificate information.
Here the last lines are of interest:
The absence of a certificate in the list of revoked is indicated by the value “good”; if the certificate is revoked, the value will be “revoked”.
It is not always convenient to check SSL certificates for manual revocation, so the verification process can be automated.
To do this, use the ready-made ssl-check-revoc.sh script from Github , which checks the certificates using the CRL method:
Next, make the script executable:
Now you can check both already installed certificates for the domain and those stored locally in files (option -f):
The ssl-check-revoc.sh script can check certificates not only from the console, it is also quite suitable as a checker for Zabbix, so all the dirty work of tracking certificates into the revocation list can be assigned to the monitoring system.
Go to the Zabbix config /etc/zabbix/zabbix_server.conf and see where the scripts for external checks are:
Copy our script into this directory and restart Zabbix:
Go to the web interface and create a template (Configuration >> Templates >> Create template). We specify “Template SSL Checking” as the template name. Then inside the template we create the data item (Item) “SSL Certificate in Revocation List”, with “ssl-check-revoc.sh [{HOST.NAME}]” as the key, with the type of check “External check”. The inspection interval can be set at your discretion depending on the criticality of the project.
You will also need two triggers:
1. To signal the revocation of the certificate “Certificate for domain {HOST.NAME} is in revocation list”
Expression: "{Template Custom SSL Checking: ssl-check-revoc.sh [{HOST.NAME}]. Last ()} = 1"
2. To signal an error in case something goes wrong (for example, there will be problems with the CLR server, etc.) “Error to check certificate for domain {HOST.NAME}”
Expression: "{Template Custom SSL Checking: ssl-check-revoc.sh [{HOST.NAME}]. Last ()} = 2"
Do not forget in the actions (Configuration >> Actions) to configure the way of notification in case of triggering triggers.
Now it remains to create hosts, whose certificates we will regularly check (Configuration >> Hosts >> Create host). On the Templates tab, we link our Template SSL Checking template.
And that's it! You can sleep peacefully: if the SSL certificate of your domain for any reason falls into the revoked list, Zabbix will immediately inform you.
All SSL certificates are usually issued for a limited period, after which they expire and must be reissued. However, there are times when a certificate can be revoked before it expires. There are quite a few reasons for revoking an SSL certificate, the most common of which is that the private key has been lost or compromised, company registration data has changed, etc.
There are 2 alternative ways to check if the SSL certificate is in revocation lists:
- CRL (Certificate Revocation List) - checks for the serial number of the certificate in the revocation list.
- OCSP (Online Certificate Status Protocol) - a certificate is sent to a specialized server, where its status is checked.
Consider both of these methods in more detail using the Ubuntu console. And as an example, let's check the revocation certificate for habr.com domain.
')
CRL
Download the certificate of the domain of interest to us:
echo -n | openssl s_client -connect habr.com:443 -servername habr.com 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/habr.com.crt Thank you legioner for the hint to add the -servername parameter - it is necessary for the correct selection of the certificate if there are several of them (SNI) on the same IP address.
See the details of the certificate:
openssl x509 -noout -text -in /tmp/habr.com.crt Here we are interested in the “Full Name” item in the “X509v3 CRL Distribution Points” section.
Download this link CLR list:
wget http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl We tear out the serial number of the certificate:
openssl x509 -in /tmp/habr.com.crt -noout -serial See if this number is in the CRL list:
openssl crl -inform DER -text -in COMODORSADomainValidationSecureServerCA.crl | grep "90E58B0601C3AD98F07AEE092041C437" If nothing is found, then the certificate is not revoked.
OCSP
Let's display on the screen the certificate of the domain we are interested in and the chain of intermediate (Intermediate) certificates:
echo -n | openssl s_client -connect habr.com:443 -showcerts Save the domain certificate and intermediate certificate into files (code between the lines ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----):
/tmp/habr.com.crt /tmp/intermediate.crt Define the OCSP server:
openssl x509 -in /tmp/habr.com.crt -noout -ocsp_uri Send a request to the OCSP server to check the certificate for revocation:
openssl ocsp -url http://ocsp.comodoca.com -issuer /tmp/intermediate.crt -cert /tmp/habr.com.crt -text If everything is correct, the OCSP server should return the certificate information.
Here the last lines are of interest:
Response verify OK /tmp/habr.com.crt: good The absence of a certificate in the list of revoked is indicated by the value “good”; if the certificate is revoked, the value will be “revoked”.
Automation
It is not always convenient to check SSL certificates for manual revocation, so the verification process can be automated.
To do this, use the ready-made ssl-check-revoc.sh script from Github , which checks the certificates using the CRL method:
wget https://raw.githubusercontent.com/o-pod/security/master/ssl-check-revoc.sh Next, make the script executable:
chmod a+x ssl-check-revoc.sh Now you can check both already installed certificates for the domain and those stored locally in files (option -f):
./ssl-check-revoc.sh habr.com -v Zabbix
The ssl-check-revoc.sh script can check certificates not only from the console, it is also quite suitable as a checker for Zabbix, so all the dirty work of tracking certificates into the revocation list can be assigned to the monitoring system.
Go to the Zabbix config /etc/zabbix/zabbix_server.conf and see where the scripts for external checks are:
ExternalScripts=/etc/zabbix/externalscripts Copy our script into this directory and restart Zabbix:
sudo cp ssl-check-revoc.sh /etc/zabbix/externalscripts/ sudo systemctl restart zabbix-server Go to the web interface and create a template (Configuration >> Templates >> Create template). We specify “Template SSL Checking” as the template name. Then inside the template we create the data item (Item) “SSL Certificate in Revocation List”, with “ssl-check-revoc.sh [{HOST.NAME}]” as the key, with the type of check “External check”. The inspection interval can be set at your discretion depending on the criticality of the project.
You will also need two triggers:
1. To signal the revocation of the certificate “Certificate for domain {HOST.NAME} is in revocation list”
Expression: "{Template Custom SSL Checking: ssl-check-revoc.sh [{HOST.NAME}]. Last ()} = 1"
2. To signal an error in case something goes wrong (for example, there will be problems with the CLR server, etc.) “Error to check certificate for domain {HOST.NAME}”
Expression: "{Template Custom SSL Checking: ssl-check-revoc.sh [{HOST.NAME}]. Last ()} = 2"
Do not forget in the actions (Configuration >> Actions) to configure the way of notification in case of triggering triggers.
Now it remains to create hosts, whose certificates we will regularly check (Configuration >> Hosts >> Create host). On the Templates tab, we link our Template SSL Checking template.
And that's it! You can sleep peacefully: if the SSL certificate of your domain for any reason falls into the revoked list, Zabbix will immediately inform you.
Source: https://habr.com/ru/post/417521/
All Articles