Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crawling for Certificates?

Posted by Cliff on from the bit-sized-needles-in-a-digital-haystack dept.

flosofl asks: "I work for a large company in the Authentication and Cryptography Group. Recently, we have decided to centralize all management of our certificates. Right now we manage something on the order of 200 certs. We estimate that there may be something on the order of 100-150 certs in our enterprise that we are unaware of/managed locally. What we especially want to eliminate are the 'in house' cert servers that have cropped up here and there. What we need is a tool to crawl the network and discover these certificates. I thought maybe nmap, but could not find any options for this. I am aware of the Certificate Discovery Protocol, but can find nothing other than specification pages and I am not a programmer. We would like some kind of tool that would crawl the networks and discover servers with VeriSign, InstaSSL, and type of certs. We also would like to keep it inexpensive (sub $10,000). Any help would be appreciated."

5 of 30 comments (clear)

  1. Quick solutiin by Anonymous Coward · · Score: 1, Insightful

    Windows -> Search -> All Files -> *.crt and make sure the network is selected as the place to search for files.

  2. What about personal certs? by fuzzybunny · · Score: 2, Insightful

    Are you only talking about unmanaged ("server") certificates? Do your employees use personal certificates for authentication/signing/encryption/non-repudiation/ making toast/whatever?

    As lots of posters have indicated, finding the ssl certificates is pretty easy.

    Note that this only applies to individual's certificates, but what about keys? Not all keys are cert-based. Do you want to centrally manage employee or customer info via a PKI? Got a proper directory schema in place? Handling keys via tokens/got a token/card management system in place that'll hold up?

    You should probably make sure you know the answers to those before starting anything.

    --
    Cole's Law: Thinly sliced cabbage
  3. Re:Wrong solution by dubl-u · · Score: 4, Insightful
    Searching for certificates is the wrong way to handle this. I advise to simply make it a policy to not use any certificates for company use which are not maintained by you.

    Ok. The original poster's solution isn't so great, but just declaring it "policy" is about three orders of magnitude dumber.

    Here's a simple, 4-step plan to solving the problem.
    1. understand the problem -- Find out why people are creating their own certificates. There will be plenty of legitimate reasons.
    2. give them something better -- Figure out a solution that addresses their needs as well as yours. And wherever possible, make it easier than what they're doing now. For example, create a web-based application that lets anybody in the company instantly get an officially blessed certificate.
    3. make a policy -- Explain, in clear business terms, why your policy is the least-impact way to solve a real business problem.
    4. enforce it -- Now you can set up the fancy automated scanner.
    Remember, the other people in your company are, for the most part, doing their jobs in the best way that they know how. (And even when they aren't, it's best to start off treating them that way.) If you know something about how they could do their jobs better (e.g., by improving security though better certificates), then help them to achieve that.

    But for fuck's sake, don't just go imposing random mandates on other people like some third-world dictator. I've consulted at some large companies that have so many rules, mandates, procedures, and forms that it's impossible to get anything productive done. And most of the good people figure that out and leave.

  4. Re:the free solution by penguinboy · · Score: 2, Insightful

    It's possible that there are certificates in use that no one really knows about - for example, an HTTPS web application server set up for a group that just uses it without caring about all the technical details. Asking will probably find most of the certs, but there might be some other ones out there.

  5. Re:Thanks guys (and gals - you never know...) by Anonymous Coward · · Score: 1, Insightful

    mini-rant:

    You said you would pay up to $10k for a solution.

    If you dont have the skills to write the correct three lines of script, why should it matter that the correctly implemented solution is only three lines long.

    Is this solution any less good than something written in a month that does the same thing, only in C++?

    are you embarrassed that actually the question you asked is trivial to implement, and you couldn't figure it out? thus now your $10k seems like largesse....

    What do you want, a solution? If three lines of script is too little, Counterpane, or similar security consultancy, will probably do it for $10k+ (They have scripts that are 1000s of lines long im sure! - and they are pretty damn good)