How can I scan a IP & Port range to get information about all SSL certificates in use

linux ssl ssl-certificate centos6 rhel6

6,292

Technically, if the server is using SNI, you won't be able to extract all the certificates, as you need to specify each hostname during SSL negotiation (on client hello).

Not specifying the hostname would send you the default site, but you won't have any means to know what other sites it's hosting, as reverse DNS is not very trustworthy.

This script will take some time, as it is going for the default openssl timeout, but will get the dates, issuer and subject (and lastly the port where it found it) of every "default" certificate of a server. Enclose it with another loop to do the IP range, but will take forever to finish.

for (( i=1; i<10000; i++ )) ; do openssl s_client  -connect SITENAME:$i </dev/null 2>/dev/null | awk 'BEGIN {a=0} /BEGIN CERT/ {a=1} (a>0) {print} /END CERT/ {a=0}' | openssl x509 -noout -subject -issuer -dates 2>/dev/null && echo On port $i; done

6,292

mystupidquestion

Updated on September 18, 2022

Comments

mystupidquestion over 1 year

From a Linux system, for a given IP range I need to check each open port to see if an SSL certificate is in use. For example, I would like to check ports 1 - 9999 on the address range 192.168.22.0/24. If an open port is using an SSL certificate I'd like to retrieve the CN name, expiration date, etc... I've found lots of tools that will check common ports like 443 or 8443 but I need to find SSL certs in use on non standard ports. Any tool suggestions or advice is appreciated. Thanks.
deagh over 9 years

You can define a range with '192.168.1.1-254' or '-sn 192.168.1.0/8'