Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crawling for Certificates?

Posted by Cliff on from the bit-sized-needles-in-a-digital-haystack dept.

flosofl asks: "I work for a large company in the Authentication and Cryptography Group. Recently, we have decided to centralize all management of our certificates. Right now we manage something on the order of 200 certs. We estimate that there may be something on the order of 100-150 certs in our enterprise that we are unaware of/managed locally. What we especially want to eliminate are the 'in house' cert servers that have cropped up here and there. What we need is a tool to crawl the network and discover these certificates. I thought maybe nmap, but could not find any options for this. I am aware of the Certificate Discovery Protocol, but can find nothing other than specification pages and I am not a programmer. We would like some kind of tool that would crawl the networks and discover servers with VeriSign, InstaSSL, and type of certs. We also would like to keep it inexpensive (sub $10,000). Any help would be appreciated."

3 of 30 comments (clear)

  1. openssl sclient by cnvogel · · Score: 4, Informative

    Hi,

    1.) nmap your network. Find https-servers (port 443), imaps, pop3s, ssmtp. Those should run ssl on connect.
    1.b) find imap, pop3, smtp servers that support STARTTLS
    1.c) use openssl s_client -showcerts -connect host:port to get the certificate
    2.) ?
    3.) Profit!

    Chris

  2. Done by Permission+Denied · · Score: 5, Informative
    I'd like my $10,000 in small unmarked bills.

    nmap your_network_here -p 443 -oG - | awk '/443\/open/ {print $2;}' | while read i ; do
    openssl s_client -showcerts -connect $i:443 < /dev/null 2>/dev/null | fgrep -v your_certficate_authority_here >/dev/null 2>&1 && echo $i
    done

    Two minutes, three lines of code, $10,000 - I'm undercharging my employer!

    Seriously, though, don't run this without understanding each part. If you have a large network, split it up into separate commands using temp files. You'll probably want to add some code to check for self-signed certificates (assuming those aren't against your "corporate policy"). You'll also want to scan other ports running SSL directly, such as 995. Some services more commonly use STARTTLS in which case the openssl s_client won't work (LDAP v3, SMTP). For these services, you'll need to write a small network program linked to openssl that knows enough of the protocol to initiate STARTTLS and grab the certs. Overall, this is a half day of work at most for little programs to test all the STARTTLS possibilities.

    I really have to question your company's judgment if they're willing to spend that much money on something so trivial. If you're large enough that rogue certificate servers actually pose a problem, you should definitely have some good *nix admin/network/systems programmer-types types who can do this for you.

  3. Re:Wrong solution by dubl-u · · Score: 4, Insightful
    Searching for certificates is the wrong way to handle this. I advise to simply make it a policy to not use any certificates for company use which are not maintained by you.

    Ok. The original poster's solution isn't so great, but just declaring it "policy" is about three orders of magnitude dumber.

    Here's a simple, 4-step plan to solving the problem.
    1. understand the problem -- Find out why people are creating their own certificates. There will be plenty of legitimate reasons.
    2. give them something better -- Figure out a solution that addresses their needs as well as yours. And wherever possible, make it easier than what they're doing now. For example, create a web-based application that lets anybody in the company instantly get an officially blessed certificate.
    3. make a policy -- Explain, in clear business terms, why your policy is the least-impact way to solve a real business problem.
    4. enforce it -- Now you can set up the fancy automated scanner.
    Remember, the other people in your company are, for the most part, doing their jobs in the best way that they know how. (And even when they aren't, it's best to start off treating them that way.) If you know something about how they could do their jobs better (e.g., by improving security though better certificates), then help them to achieve that.

    But for fuck's sake, don't just go imposing random mandates on other people like some third-world dictator. I've consulted at some large companies that have so many rules, mandates, procedures, and forms that it's impossible to get anything productive done. And most of the good people figure that out and leave.