Articles in this section

See more
Self help
FAQ
["FAQ"]

How can I check the certificate validity of certain websites?

Avatar
Manny
  • Updated
Follow

There are toolkit methods of validating a website's certificate. For Linux, there's the openssl command and for Windows, a PowerShell command that creates a HttpWebRequest call.

For the PowerShell Toolkit:

Adding more websites to the powershell toolkit is trivial; however you would need to have a https:// prefix and add it within the script content as seen below:

Your dataview should look similar to this format.

For the Linux Toolkit:

Adding more websites to the Linux toolkit is easy as well; you can add more sites to the sampler script section.

Your dataview should look similar to this format. 

For the sampler's XML:

WinCertCheck.xml
<sampler name="WinCertCheck">
    <sampleInterval>
        <data>1200</data>
    </sampleInterval>
    <plugin>
        <toolkit>
            <samplerScript>
                <data>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  -executionpolicy bypass  -file &quot;CertCheck.ps1&quot;</data>
            </samplerScript>
            <script>
                <contents>
                    <data>$minimumCertAgeDays = 80000
$timeoutMilliseconds = 5000
$urls = @(
 &quot;https://resources.itrsgroup.com&quot;,
 &quot;https://helpdesk.itrsgroup.com&quot;,
 &quot;https://itrsgroup.webex.com&quot;,
 &quot;https://www.cisco.com&quot;,
 &quot;https://email.itrsgroup.com&quot;
 )
#disabling the cert validation check. This is what makes this whole thing work with invalid certs...
 [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Write-Host Host`,Name`,Issuer`,Status`,Expires On`,Days Left -f Green
foreach ($url in $urls)
{
#Write-Host `n Checking $url -f Green
 $req = [Net.HttpWebRequest]::Create($url)
 $req.Timeout = $timeoutMilliseconds
try {$req.GetResponse() | Out-Null} catch {}
if ($req.ServicePoint.Certificate -ne $null)
    {
        [datetime]$expiration = $req.ServicePoint.Certificate.GetExpirationDateString()
        [int]$certExpiresIn = ($expiration - $(get-date)).Days
        $certName = $req.ServicePoint.Certificate.GetName()
        $certPublicKeyString = $req.ServicePoint.Certificate.GetPublicKeyString()
        $certSerialNumber = $req.ServicePoint.Certificate.GetSerialNumberString()
        $certThumbprint = $req.ServicePoint.Certificate.GetCertHashString()
        $certEffectiveDate = $req.ServicePoint.Certificate.GetEffectiveDateString()
        $certIssuer = $req.ServicePoint.Certificate.GetIssuerName() #need to parse out the commas
        $certType = $req.ServicePoint.Certificate.GetType()
        $expirationString = &quot;{0:dd MMMM yyyy hh:mm:ss}&quot; -f $expiration #display date in full
        if ($certExpiresIn -gt 0)
            {  $certStat = &quot;Valid&quot;  }
        else
            {  $certStat = &quot;Invalid&quot; }
        Write-Host $url`,($certName -replace &quot;,&quot; , &quot;\,&quot; )`,($certIssuer -replace &quot;,&quot; , &quot;\,&quot; )`,$certStat`,$expirationString`,$certExpiresIn
    }
}</data>
                </contents>
                <filename>
                    <data>CertCheck.ps1</data>
                </filename>
            </script>
        </toolkit>
    </plugin>
</sampler>
 
LinuxCertCheck.xml
<sampler name="LinuxCertCheck">
    <sampleInterval>
        <data>12000</data>
    </sampleInterval>
    <plugin>
        <toolkit>
            <samplerScript>
                <data>./ChkCert.sh resources.itrsgroup.com itrsgroup.webex.com cisco.com email.itrsgroup.com helpdesk.itrsgroup.com</data>
            </samplerScript>
            <script>
                <contents>
                    <data>#!/bin/bash
#set -x #for Debugging
#typical port for cert checking/https calls
cport=443
if [ $# -gt 0 ];
then
    #Setup your headlines.
    echo &quot;Host, Issuer, Subject, Status, Expires On, Days Left&quot;
     
    #Check the OS just in case
    if [[ `uname` -eq &quot;Linux&quot; ]];
    then
        for var in &quot;$@&quot;
    do   
        Conn=$(echo | openssl s_client -connect $var:$cport 2&gt;/dev/null | openssl x509 -noout -issuer -subject -dates 2&gt;&amp;1)
        ConnCheck=$(echo &quot;$Conn&quot; | grep &quot;unable to load certificate&quot;)
 
        if [ &quot;$ConnCheck&quot; == &quot;unable to load certificate&quot; ];
        then
        echo &quot;$var, ---, ---, Invalid/Can Not Connect, ---, ---&quot;
        else
        Subj=$(echo &quot;$Conn&quot; | grep &quot;subject=&quot; | sed -e &quot;s/subject=//g&quot; | sed -e &quot;s/\// /g&quot; | sed -e &quot;s/,//g&quot;)
        Issuer=$(echo &quot;$Conn&quot; | grep &quot;issuer=&quot; | sed -e &quot;s/issuer=//g&quot;| sed -e &quot;s/\// /g&quot; | sed -e &quot;s/,//g&quot;)
        ExpDate=$(echo &quot;$Conn&quot; | grep &quot;notAfter=&quot; | sed -e &quot;s/notAfter=//g&quot;)
        EpocExpDate=$(date --date=&quot;$ExpDate&quot; +%s)
        EpocToday=$(date +%s)
        SecLeft=$(($EpocExpDate - $EpocToday))
        DaysLeft=$(( $SecLeft / 86400 ))
        echo &quot;$var,$Issuer,$Subj,Valid,$ExpDate,$DaysLeft&quot;
        fi               
    done   
    fi
fi</data>
                </contents>
                <filename>
                    <data>ChkCert.sh</data>
                </filename>
            </script>
        </toolkit>
    </plugin>
</sampler>

 

 

 

    Tags:

Related articles

Comments

0 comments

Please sign in to leave a comment.