Crawling for Certificates?

← Back to Stories (view on slashdot.org)

Posted by Cliff on Wednesday January 21, 2004 @05:12PM from the bit-sized-needles-in-a-digital-haystack dept.

flosofl asks: "I work for a large company in the Authentication and Cryptography Group. Recently, we have decided to centralize all management of our certificates. Right now we manage something on the order of 200 certs. We estimate that there may be something on the order of 100-150 certs in our enterprise that we are unaware of/managed locally. What we especially want to eliminate are the 'in house' cert servers that have cropped up here and there. What we need is a tool to crawl the network and discover these certificates. I thought maybe nmap, but could not find any options for this. I am aware of the Certificate Discovery Protocol, but can find nothing other than specification pages and I am not a programmer. We would like some kind of tool that would crawl the networks and discover servers with VeriSign, InstaSSL, and type of certs. We also would like to keep it inexpensive (sub $10,000). Any help would be appreciated."

1 of 30 comments (clear)

Min score:

Reason:

Sort:

Done by Permission+Denied · 2004-01-21 20:29 · Score: 5, Informative

I'd like my $10,000 in small unmarked bills.
nmap your_network_here -p 443 -oG - | awk '/443\/open/ {print $2;}' | while read i ; do openssl s_client -showcerts -connect $i:443 < /dev/null 2>/dev/null | fgrep -v your_certficate_authority_here >/dev/null 2>&1 && echo $i done

Two minutes, three lines of code, $10,000 - I'm undercharging my employer!
Seriously, though, don't run this without understanding each part. If you have a large network, split it up into separate commands using temp files. You'll probably want to add some code to check for self-signed certificates (assuming those aren't against your "corporate policy"). You'll also want to scan other ports running SSL directly, such as 995. Some services more commonly use STARTTLS in which case the openssl s_client won't work (LDAP v3, SMTP). For these services, you'll need to write a small network program linked to openssl that knows enough of the protocol to initiate STARTTLS and grab the certs. Overall, this is a half day of work at most for little programs to test all the STARTTLS possibilities.
I really have to question your company's judgment if they're willing to spend that much money on something so trivial. If you're large enough that rogue certificate servers actually pose a problem, you should definitely have some good *nix admin/network/systems programmer-types types who can do this for you.