Certificate check
Certificate check
There is command line utility that may check when SSL certificate expires: www.ks-soft.net/download/utils/certcheck.zip
It can be used with HostMonitor's Shell Script test method
There is one obligatory and 4 optional parameters
Usage: certcheck.exe -host:<host_name> [-port:<port>] [-threshold:<days>] [-withinfo] [-timeout:<timeout>]
Parameters:
-host : Name or IP of the host, where certificate is located
-port : TCP port number. Default port is 443
-threshold : Alert when certificate expires in NN days or less. Default: 0
-withinfo : Tells the program to display certificate info
-timeout : Communication timeout (msec).
Examples:
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo
Regards
Alex
It can be used with HostMonitor's Shell Script test method
There is one obligatory and 4 optional parameters
Usage: certcheck.exe -host:<host_name> [-port:<port>] [-threshold:<days>] [-withinfo] [-timeout:<timeout>]
Parameters:
-host : Name or IP of the host, where certificate is located
-port : TCP port number. Default port is 443
-threshold : Alert when certificate expires in NN days or less. Default: 0
-withinfo : Tells the program to display certificate info
-timeout : Communication timeout (msec).
Examples:
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo
Regards
Alex
Hi,
Thanks, this is great
Works for me perfect, also querying Domaincontroller Certificates.
There is also an example for smtp, when I try to query our smpt ssl certificate, I get the following error:
SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number
The same on our ftps server. Is there maybe a way to check this certficates also?
Regards,
Martin
Thanks, this is great
Works for me perfect, also querying Domaincontroller Certificates.
There is also an example for smtp, when I try to query our smpt ssl certificate, I get the following error:
SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number
The same on our ftps server. Is there maybe a way to check this certficates also?
Regards,
Martin
-
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Actually, our utility is not so smartmp1 wrote:SSL cannot be initialized. erro:1408F108:SS routines:SSL3_GET_RECORD:wrong version number
The same on our ftps server. Is there maybe a way to check this certficates also?
It is able to check certificate if secure connection establishes just after initial connection (implicit mode). I suppose, your mail server and ftp provides TLS auth and establishes secure connection after special key phrase, like STARTTLS (explicit mode). So, in order to get certificate info, utility should provide some protocol depended communication routine. I'm sorry, this utility is not designed to support FTP, SMTP, etc. protocols.
Regards,
Max
Examples listed in first post
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo
If you setup Shell Script test method then you should specify parameters using "Params" field of the test
E.g.
-host:www.ssl.com -threshold:30
or
-host:talk.google.com -port:5223
"Start cmd" property of Shell Script may look like
cmd /c c:\HostMonitor\certcheck.exe %Params%
Regards
Alex
certcheck -host:www.ssl.com
certcheck -host:talk.google.com -port:5223
certcheck -host:192.168.1.100 -port:25 -withinfo
If you setup Shell Script test method then you should specify parameters using "Params" field of the test
E.g.
-host:www.ssl.com -threshold:30
or
-host:talk.google.com -port:5223
"Start cmd" property of Shell Script may look like
cmd /c c:\HostMonitor\certcheck.exe %Params%
You cannot do that.And using eg CommentLines as params...? Eg params for hostname and threshold..
Regards
Alex
I have just stumbled upon this wonderful tool.
Something else I didnt think I needed.
I am having difficulty with one site in particular. It has a valid cert and is accessible from all browsers.
I do know it has to do with the site which is running in FIPS 140-2 mode. If I disable it the check succeeds. Can these types of sites be checked?
I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found.
Is this something that can be easily done?
Regards
Something else I didnt think I needed.
I am having difficulty with one site in particular. It has a valid cert and is accessible from all browsers.
I do know it has to do with the site which is running in FIPS 140-2 mode. If I disable it the check succeeds. Can these types of sites be checked?
I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found.
Is this something that can be easily done?
Regards
Can we access this site for testings?
Regards
Alex
Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only.I noticed the ssl libraries were from 2007 so I tried updating them but the exe complained that no libraries were found
Regards
Alex
The certcheck utility is provided with it's own set of ssl libraries. These are the ones I attempted to update. The ssl libraries in the hostmonitor directory were not modified and I assumed are independent of the certcheck utility. Besides, when it didnt work I put the originals back.Please do not change libeay32.dll and ssleay32.dll files that come with HostMonitor. These files located in HostMonitor folder and used by HostMonitor only.
Our hope was that if we updated the libraries the check would succeed. I found this was not the case and there seems a need for work to be done on the certcheck executable to use validated fips libraries.
Information is available on the openssl website. I am not sure exactly what it means.
Is compiling fips validated libraries all that is required? Or is there more to it?
OpenSSL and FIPS 140-2
http://www.openssl.org/docs/fips/fipsnotes.html
Regards
I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly.The certcheck utility is provided with it's own set of ssl libraries.
I read manuals, trying to understand what exactly means that FIPS 140-2
On one hand, requirements to encryption, keys exchange and hashing sound familiar:
- Transport Layer Security (TLS) protocol;
- only the Triple DES encryption algorithm for the TLS traffic encryption;
- RSA public key algorithm for the TLS key exchange and authentication;
- SHA-1 for the TLS hashing
These protocols supported by OpenSSL and HostMonitor/CertCheck
On the other hand there some additional requirements for integrity checks and so on. Looks like without another module from OpenSSL and without some modifications on our side, this test will not work with FIPS 140-2
Regards
Alex
No problem. I understand completely.I know. But the same rule applies to certcheck utility - its better do not replace these DLLs. It may not work with different version correctly.
And thank you for looking into fips 140-2 support. It is not really mainstream at the moment but it is gaining popularity especially when dealing with security compliance.
I can live without checking the few sites with fips for the moment. I intend to do some of my own research in the matter to stay ahead of the curve. If I come across new information that I think would benefit a possible implementation I will post back in this thread.
Regards