How To: Check For Symantec Certificates From the Command Line

Background

Starting with Chrome 66 and Firefox 60, Symantec SSL certificates issued before June 1, 2016 will be distrusted.

With Chrome 70 and Firefox 63, all Symantec SSL certs issued before December 1, 2017 will be distrusted.

This creates a need to quickly scan for those certs.

Use OpenSSL to check

This is a fairly simple task with OpenSSL:

$ timeout 1 openssl s_client -showcerts -connect my.domain.name:443 | openssl x509 -noout -startdate

This will tell you the start date for a site’s certificate.

$ timeout 1 openssl s_client -showcerts -connect my.domain.name:443 |grep --line-buffered "issuer"

This will tell you who issued the cert.

Assume we have a list of domains to check. The following should suffice:

$ for i in `cat domain-list.txt`; do echo $i >>ssl-data.out; timeout 1 openssl s_client -showcerts -connect $i:443 |grep --line-buffered "issuer" >>ssl-data.out 2>&1; timeout 1 openssl s_client -showcerts -connect $i:443 2>/dev/null | openssel x509 -noout -startdate >>ssl-data.out; done

$ grep Symantec ss-data.out -A 1 -B 1

This will run through the list of domains in domain-list.txt, one per line, and output the domain name, the issuer, and the cert start date to the file ssl-data.out.

The subsequent grep will provide you with the domains whose certs were issued by Symantec, and their start dates. You can then use whatever process you wish to pull out those that meet the above criteria.

HowToBlue TeamRed TeamHunt