SSL Certificate discovery script

Heartbleed…. well….if you were vulnerable you need to replace (and importantly re-key) all your certificates that may have had their private keys revealed. Remember that although it is only OpenSSL that was vulnerable, if you use a certificate on multiple platforms, you will need to re-certificate everything, not just the devices running the now patched OpenSSL.

Not only is the task of identifying all your vulnerable devices a task in itself, finding where all your certificates are to begin the process of re-installation can be a pretty impressive feat on its own.

Scripting a discovery scan

The below bash script can be used to complete a scan against a list of IP addresses or DNS entries and will report back on the Common Name of the certificate installed.

At this time, there are a couple of known limitations of the script:

  1. If you are using a SAN certificate to secure multiple domains, it will only report on the common name. Additional subjects will not be reported.
  2. The script will not play well if the IP address is bound to a server using Server Name Indication.
  3. DNS entries will be scanned based upon the first contactable address. If you use DNS round robin to complete load balancing/distribution, you must remember to replace the certificate on all devices.

Use of this script is at your own risk and should not be your sole method to ensure you have new certificates installed on all servers.

Running the script

First create a new directory to place the below script and the input and output files.

Create a new script file using the content below and assign the required rights.

chmod u+x

The script:

 findCert() { 
  echo "Checking: $1"; 
     String=`echo | openssl s_client -connect $1:443 2>/dev/null | openssl x509 -noout -subject 2>/dev/null | awk -F"CN=" '{print $2}'`; 
     echo "$1 uses: $String" >> SSLDiscovery.log 
 for line in `cat ScanTargets.txt` 
 while [ `jobs | wc -l` -ge 50 ] 
 sleep 5 
 findCert $line & 

Now create a new file called ScanTargets.txt and enter a list of the IPs and/or DNS entries to be scanned, one per line.

Once complete, you can then run the script:


Output will be sent to the SSLDiscovery.log file.

Image credit: Snoopsmaus

Leave a Reply

Your email address will not be published. Required fields are marked *