Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web application environment, that makes use of SSL. HackRack would then often report on findings such as weak cyphers in use (critical if the client has to adhere to PCI DSS), mismatching cert names and domain names, and then expired certs.
Now, this is easy to check and re-check when you have a couple of single hosts and openssl foo. But, a couple of hundred sites and things get interesting and time consuming.
To enable our own guys and other security minded folk, we build a Java based SSL certificate miner that will show you the “Issue By” and “Issued To” information plus whether the cert is strong and have or will expire soon.
Its nice and clean, and does the job in reasonable time. Future checks will include SSL version checking – again something that is required by the PCI DSS to be up to date and reported. Monitor our blog for future releases.
Oh yes – please download from here.
Enjoy, and as always, please let us know where we have goofed or mistyped comments.
** Shameless training plug **
SensePost will be training and presenting again at BlackHat Vegas. Free stuff for those who attend!