Adding TLS Certificate information gathering scripts.

README.md

@@ -2,15 +2,15 @@
 This repo contains the tools, utilities and some usefull commands help to troubleshooting the issues of the WSO2 deployements.
 
 ## Table of contents
-
-- [Database response time mesuring tool](database-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/database-response-timing-bundle.zip)
-- [HTTP/HTTPS endpoint response time mesuring tool](http-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/http-response-timing-bundle.zip)
-- [Test LDAP connectivity](ldap-connection-test/)
-- [Script to get thread dumps](scripts-and-commands/thread-dump/)
+- [APIM 3.2.0 distributed deployment](scripts-and-commands/distributed-deployment/apim-3.2.0/README.md)
+- [APIM 4.0.0 distributed deployment](scripts-and-commands/distributed-deployment/apim-4.0.0/README.md)
+- [Database response time measuring tool](database-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/database-response-timing-bundle.zip)
+- [Decrypt and re-encrypt entries in database with new algorithm or key](https://github.com/shagihan/token-migrator)
+- [HAR Capture](HAR-capture/README.md)
+- [HTTP/HTTPS endpoint response time measuring tool](http-response-timing/) | [Download](https://github.com/wso2-cs/troubleshoot-kit/releases/download/v1/http-response-timing-bundle.zip)
 - [Script to Analyze thread dumps](scripts-and-commands/thread-analysis/)
-- [Usefull keytool and OpenSSL Commands](scripts-and-commands/keytool-openssl-commands/README.md)
+- [Script to get thread dumps](scripts-and-commands/thread-dump/)
 - [Simple TCP proxy simulating delays in network](https://github.com/ruwanta/delaying-proxy)
-- [Decrypt and re-encrypt entries in database with new algorhythm or key](https://github.com/shagihan/token-migrator)
-- [HAR Capture](HAR-capture/README.md)
-- [APIM 3.2.0 deployment](scripts-and-commands/distributed-deployment/apim-3.2.0/README.md)
-- [APIM 4.0.0 deployment](scripts-and-commands/distributed-deployment/apim-4.0.0/README.md)
+- [Test LDAP connectivity](ldap-connection-test/)
+- [TLS Certs](scripts-and-commands/certs/README.md)
+- [Useful keytool and OpenSSL Commands](scripts-and-commands/keytool-openssl-commands/README.md)

scripts-and-commands/certs/README.md

@@ -0,0 +1,34 @@
+# Get Details About a TLS Certificate
+One of the most common tasks once a system is in production for a while is the need to replace expired TLS certificates. The number one symptom that notifies you that this is needed is that back-end system fail to connect and will give an error message in the log files. 
+
+Tracking down why you can't connect is simplified if you can check for the expired use case from the server that is making the connection call. These servers almost never have UI frontends allowing for the certificate view trick we often use in a web browser to check for the dates. This is especially important when server whitelisting rules are in place. 
+
+These linux shell commands are provided to aid in identifying exactly this use case and also to trouble shoot issues that may come up once the new certificate is in place.
+
+## checkcert
+These scripts are for getting the notbefore and notafter dates of a certificate.
+* checkcert - uses openssl to fetch
+* checkcert_curl - uses curl to fetch 
+
+## checkcertserial
+These scripts are for getting the serial number of a certificate
+* checkcertserial - returns in default format
+* checkcertserialhex - returns in hex format
+
+## getcertchain
+This script will show you the certificate chain. Sometimes different versions
+of certificates will have differnt intermediate chains and that can lead to 
+handshaking issues.
+* getcertchain
+
+## serial_audit
+These files are used to audit a set of servers to ensure they have the 
+same target serial number.
+* serial_audit - script to kick off the audit
+* server_list.txt - list of the servers to audit. Format like localhost:9443
+* target_serial.txt - standard serial format to verify being present 
+
+# Retrieve a certificate
+## getcert
+This script will retrieve the certificate and write it locally.
+* getcert

scripts-and-commands/certs/checkcert

@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+export SITE_URL=$1
+echo QUIT | openssl s_client -connect ${SITE_URL} \
+  -servername ${SITE_URL} 2> /dev/null |  openssl x509 -noout  -dates  

scripts-and-commands/certs/checkcert_curl

@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+curl --insecure -vvI https://$1 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

scripts-and-commands/certs/checkcertserial

@@ -0,0 +1,11 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+# Cut inspired by: https://unix.stackexchange.com/questions/533194/how-to-extract-serial-from-ssl-certificate
+
+export SITE_URL=$1
+#export SITE_SSL_PORT="443"
+echo QUIT | openssl s_client -connect ${SITE_URL} \
+  -servername ${SITE_URL} 2> /dev/null |  openssl x509 -noout  -serial | cut -d '=' -f2  

scripts-and-commands/certs/checkcertserialhex

@@ -0,0 +1,10 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+# Hex translation inspired by: https://unix.stackexchange.com/questions/533194/how-to-extract-serial-from-ssl-certificate
+
+export SITE_URL=$1
+echo QUIT | openssl s_client -connect ${SITE_URL} \
+  -servername ${SITE_URL} 2> /dev/null |  openssl x509 -noout  -serial|cut -d '=' -f2 | sed 's/../&:/g;s/:$//' 

scripts-and-commands/certs/getcert

@@ -0,0 +1,9 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+openssl s_client -connect $1 </dev/null | openssl x509 -outform pem > tmpcert.pem
+openssl x509 -in tmpcert.pem -noout -serial -dates
+cat tmpcert.pem

scripts-and-commands/certs/getcertchain

@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# You'll need to provide port number with the url.
+# Example Web server: test.com:443
+# Example WSO2 EI Server: localhost:9443
+
+export URL=$1
+echo QUIT | openssl s_client -showcerts -connect $URL

scripts-and-commands/certs/serial_audit

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# This script will check every server in server_list.txt to see if it has a public cert serial
+# that matches target_serial.txt. This is utilized to ensure that all servers have the same corporate
+# wildcard certificate after renewal. 
+#
+# Add server list into a server_list.txt file. One line per a server. Include the port number.
+# Example: 
+# google.com:443
+# localhost:9443
+#
+# Add expected serial number in a file named target_serial.txt
+# example:
+# 111111111111111111111111111
+
+
+TARGET_SERIAL=`cat target_serial.txt`
+echo "Target Serial is: $TARGET_SERIAL"
+
+#looping over each server in server_list.txt
+echo "== Starting =="
+
+while read SERVER; do
+  SERVER_SERIAL=`echo QUIT | openssl s_client -connect $SERVER -servername $SERVER </dev/null 2>/dev/null| openssl x509 -noout -serial 2>/dev/null| cut -d '=' -f2`
+
+  if [ "$SERVER_SERIAL" == "$TARGET_SERIAL" ]; then
+      echo "$SERVER: Serials match."
+  else
+      echo "$SERVER - WARNING: CERTIFICATE SERIAL NUMBERS DO NOT MATCH. Server has $SERVER_SERIAL and we are looking for $TARGET_SERIAL."
+  fi
+done < server_list.txt
+
+echo "== Done. =="

scripts-and-commands/certs/server_list.txt

@@ -0,0 +1 @@
+localhost:9443

scripts-and-commands/certs/target_serial.txt

@@ -0,0 +1 @@
+5800000d6fef826be273adb62d000200000d6f