Sometimes you are dumped in to situations at short notice and need to get an answer in fairly short notice. It was in this type of situation that I found myself when I popped in to a friends office and they had a query about certificates for their developer team.
Sometimes you are dumped in to situations at short notice and need to get an answer in fairly short notice. It was in this type of situation that I found myself when I popped in to a friends office and they had a query about certificates for their developer team.Â
It came down to knowing which certificate was being presented by a server for secure LDAP. Their friendly IT bod wasn’t available and I didn’t have access to the server. They just needed to be able to identify the certificate.Â
It turns out that OpenSSL was our friend. Grabbing the Windows version of OpenSSL and extracting the exe was the first point of call.
Then we used the following command, replacing servername with the actual server name
openssl.exe s_client -connect servername:636
This gave us the following output which was enough to identify the certificate and the dev-pidgeon-chap was happy.
CONNECTED(000001CC)
depth=0 CN = server.mycompany.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server.mycompany.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=server.mycompany.local
i:/CN=mycompany-server-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFFTCCA/2gAwIBAgITcgAAAJD3L7sNtAF88QAAAAAAkDANBgkqhkiG9w0BAQsF
ADAXMRUwEwYDVQQDDAxXSVNILVJPQ0stQ0EwHhcNMTcwMzEzMTUwMTUxWhcNMTgw
MzEzMTUwMTUxWjAaMRgwFgYDVQQDE6fghdt454fdgagubG9jYWwwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5/Stz1ROQpTB1eT2t+FZplSDEi3DwHCpE
1bYq/yqhFjB35HqnHbSdQPLLKy+kl0ayjzueiVKG7yTFaJDO+cRJs+zkodKdCv9e
qn0fDEtg3BdwfZARXhD+YHIJMcS0CykUby24hBHuWoPPFyVqhd9yhVhMDOaZYKu3
LwkswcbokJ1n2/CyyrHbV6kx2eH40F4wZ7wYbGs1tYp5pZO44apAVhiksgajH/DB
cqfk1CpeYszd7aoPs7Zbhfgteg5fdgdgfIQDsacS9w4K2vtjFKp65aYUHnt6zgQx
xdXJVCfvAo5paKstld4Pchc6CdNsfF3MTcPt4d/c1jk5V1Vc1A3JAgMBAAGjggJV
MIICUTAvBgkrBgEEAYI3FAIEIh4gAEQAbwBtAGEAaQBuAEMAbwBuAHQAcgBvAGwA
bABlAHIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQE
AwIFoDB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0D
BAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIwCwYJ
YIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMDsGA1UdEQQ0MDKgHwYJKwYB
BAGCNxkBoBIEEO13M6SElcBIuYufgfTGf5sf^%JvY2suV0lTSC5sb2NhbDAdBgNV
HQ4EFgQUqcWV17MNi55qua2Yuo6S4YJQQn0wHwYDVR0jBBgwFoAUzYGReq8f8Q6S
hq0tPkqPGrOCmx8wOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL1JvY2svQ2VydEVu
cm9sbC9XSVNILVJPQ0stQ0EuY3JsMIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYB
BQUHMAKGgZ1sZGFwOi8vL0NOPVdJU0gtUk9DSy1DQSxDTj1BSUEsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1XSVNILERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1j
ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQAPaYWA98CJ
pQGWwOrfFOcrfYhkxt4Ggg4VckMm8ub6dqGbRI1op3Jmg7T+4Oi8t+8GjTVeAE8O
B3qzVtW6W6q7W6oOo/9UDfMH30qaDQWASBXqImc2/s/N+PZTm0y1XCUPNjE45w27
gVhhVyG+p0cnb2LHYWbJ3i6nX93tZoki07qRdpWCujRuF9W+xr4fGVp9BUrOQp6C
kTbJC+Ch3FghtTGgf234PZXNOmDJuWOjDP7w7SdxLWrY+85F9o8QK3AkaVjF8Ij
54rgFGThdfhdfgrtwfdg+tN05subbG9w/J+8sxGtaSNkofxK8+tbew
sMzAHYobAwCD
-----END CERTIFICATE-----
subject=/CN=server.mycompany.local
issuer=/CN=mycompany-server-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1875 bytes and written 501 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: C727000085D21AFFDBCA98D8BFF070CCAEF952D75175937B078AAF5F5D18B
Session-ID-ctx:
Master-Key: 7A51DB49F67057631D1554FDG42DA8210D4B53F18C56AAEC6683258B843GFDRFT534124CB426B1EB4AC9290511884D8F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1496999812
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=10054
The post How to find the SSL certificate used by LDAPS appeared first on Oliver Marshall.