Crawling for Certificates? 30
flosofl asks: "I work for a large company in the Authentication and Cryptography Group. Recently, we have decided to centralize all management of our certificates. Right now we manage something on the order of 200 certs. We estimate that there may be something on the order of 100-150 certs in our enterprise that we are unaware of/managed locally. What we especially want to eliminate are the 'in house' cert servers that have cropped up here and there. What we need is a tool to crawl the network and discover these certificates. I thought maybe nmap, but could not find any options for this. I am aware of the Certificate Discovery Protocol, but can find nothing other than specification pages and I am not a programmer. We would like some kind of tool that would crawl the networks and discover servers with VeriSign, InstaSSL, and type of certs. We also would like to keep it inexpensive (sub $10,000). Any help would be appreciated."
Quick solutiin (Score:1, Insightful)
ask me? (Score:3, Informative)
You Need a Programmer (Score:3, Informative)
Really you need to find a programmer to do this for you. With a budget of $10,000 I'm sure that you could get a decent crawler, and if you shop around a bit you could certainly get it done for less. There are a lot of consultants who do this for a living, and I wouldn't be surprised if you had someone with the requisite skills in-house. I would talk to the people around you and find a solid programmer who also knows a thing or two about networking and SSL certs.
If you'd like to contract the job out, contact me via e-mail through contact at biosysadmin.com and I'd be happy to give you a quote.
Re:You Need a Programmer (Score:3, Informative)
Re:You Need a Programmer (Score:2)
Re:You Need a Programmer (Score:2)
This is easy (Score:2)
Re:This is easy (Score:3, Funny)
Wrong solution (Score:1, Informative)
Searching for certificates is the wrong way to handle this. I advise to simply make it a policy to not use any certificates for company use which are not maintained by you.
Re:Wrong solution (Score:4, Funny)
Re:Wrong solution (Score:5, Insightful)
Ok. The original poster's solution isn't so great, but just declaring it "policy" is about three orders of magnitude dumber.
Here's a simple, 4-step plan to solving the problem.
But for fuck's sake, don't just go imposing random mandates on other people like some third-world dictator. I've consulted at some large companies that have so many rules, mandates, procedures, and forms that it's impossible to get anything productive done. And most of the good people figure that out and leave.
Re:Wrong solution (Score:2)
In some companies, your job is to follow the procedures, not to fix stuff or make life easier.
I don't like it, I didn't make it that way, but I do have to work here.
>I've consulted at some large companies that have so many rules,
>mandates, procedures, and forms that it's impossible to get anything
>productive done. And most of the good people figure that out and
>leave.
Welcome to my nightmare. I wish I had something better to go to.
On a more productive
Dear Sir, (Score:1, Funny)
Kinda easy answer (depending on network config) (Score:4, Informative)
2 - Sniff packets to/from those hosts (you're in a position to connect to them anyway I presume) and log all the connection handshakes.
3 - Process the logs to get a nice list of hosts and certs.
Repeat every couple of days for two or three weeks to catch dev servers and the like which might be offline periodically and voila'!
openssl sclient (Score:5, Informative)
1.) nmap your network. Find https-servers (port 443), imaps, pop3s, ssmtp. Those should run ssl on connect.
1.b) find imap, pop3, smtp servers that support STARTTLS
1.c) use openssl s_client -showcerts -connect host:port to get the certificate
2.) ?
3.) Profit!
Chris
Done (Score:5, Informative)
Two minutes, three lines of code, $10,000 - I'm undercharging my employer!
Seriously, though, don't run this without understanding each part. If you have a large network, split it up into separate commands using temp files. You'll probably want to add some code to check for self-signed certificates (assuming those aren't against your "corporate policy"). You'll also want to scan other ports running SSL directly, such as 995. Some services more commonly use STARTTLS in which case the openssl s_client won't work (LDAP v3, SMTP). For these services, you'll need to write a small network program linked to openssl that knows enough of the protocol to initiate STARTTLS and grab the certs. Overall, this is a half day of work at most for little programs to test all the STARTTLS possibilities.
I really have to question your company's judgment if they're willing to spend that much money on something so trivial. If you're large enough that rogue certificate servers actually pose a problem, you should definitely have some good *nix admin/network/systems programmer-types types who can do this for you.
What about personal certs? (Score:3, Insightful)
As lots of posters have indicated, finding the ssl certificates is pretty easy.
Note that this only applies to individual's certificates, but what about keys? Not all keys are cert-based. Do you want to centrally manage employee or customer info via a PKI? Got a proper directory schema in place? Handling keys via tokens/got a token/card management system in place that'll hold up?
You should probably make sure you know the answers to those before starting anything.
the free solution (Score:2)
Seriously, why do you need to be so controlling as to seek out rogue certs.
Re:the free solution (Score:3, Insightful)
Create a business. (Score:2)
Hire someone to write a cross-platform
utility to scan disks for certs and
sniff network traffic for certs, and log
them all to a central service. Put a GUI
on it. Write documentation. That's worth
$10K. Now offer it for sale for $5k.
If it doesn't make money, open-source it.
Thanks guys (and gals - you never know...) (Score:3, Informative)
I sent Tex this in email form earlier and thought I would let you guys know which way we're probably gonna go:
I was thinking about Nessus (it has an SSL plugin). It seems kinda noisy on the network (I haven't played with it enough). I think what we're gonna end up doing is having IT Security run nmap against our servers (about 2500+) and collate a list of SSL responses (https, ssmtp, etc..). Then set up a script to run the openssl s_client with the '-showcerts' option to get the certificate.
I wish there was a click-and-go solution, but ya can't have everything...
And, sorry, I can't hire contractors
Re:Thanks guys (and gals - you never know...) (Score:1, Insightful)
You said you would pay up to $10k for a solution.
If you dont have the skills to write the correct three lines of script, why should it matter that the correctly implemented solution is only three lines long.
Is this solution any less good than something written in a month that does the same thing, only in C++?
are you embarrassed that actually the question you asked is trivial to implement, and you couldn't figure it out? thus now your $10k seems like largesse....
What do you want, a solution? I
Re:Thanks guys (and gals - you never know...) (Score:1)
But one of the things I used certificates for was a "process" certificate that would be used, for instance, by a UNIX job that encrypts a data file to send to a business partner or receives encrypted file/datafeed from somewhere then decrypts and processes it.
You might need to spin through filesystems and see if there are gpg signed/encr
Holy Crap. Air Cannons! (Score:1)
Home to some of the most ridiculous potato cannons anywhere.
Support OSS!! (Score:2)
Hello? Why not pay some some small firm to come up with something suitable, released under GPL? You kill 2 birds with 1 stone: support OSS, and add to the GPL pool.
In general, people: if you have some control over a pool of money for some small tasks like these, throw them in the direction of OSS people!
Where is the real problem, though? (Score:2)
I know, the PHBs said this was the solution that needed to be implemented. Nevermind!
Freshmeat? (Score:2)
If your company is willing to pay $10,000 for a product, why not post asking for someone to write something for you and pay them the money?
Seems like a good way to go and it's win/win