How to verify an SSL certificate

0 votes
In my application, I need to confirm that an SSL certificate is valid before establishing a secure connection. How can I programmatically verify an SSL certificate, and are there libraries or tools to streamline this process? What details should I check to ensure a certificate’s authenticity?

Examples or steps to securely verify SSL certificates, especially in a web server environment, would be helpful.
Nov 13 in Cyber Security & Ethical Hacking by Anupam
• 5,390 points
35 views

1 answer to this question.

0 votes

Verifying an SSL/TLS certificate is crucial to guaranteeing a safe and reliable connection. This procedure makes that the certificate matches the requested domain or identity, verifies that it was issued by a reliable Certificate Authority (CA), and checks its validity.

1. Retrieve the SSL Certificate

Using OpenSSL:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -subject -dates

Programmatically: Use SSL/TLS libraries in programming languages like Python, Java, or Node.js to connect and retrieve the certificate.

2. Check Certificate Validity

  • Validity Period: Confirm the certificate is within its "notBefore" and "notAfter" dates.
  • Revocation Status: Ensure the certificate hasn’t been revoked by consulting Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP), though TLS libraries often handle this automatically.

3. Verify Certificate Chain

  • Ensure the certificate was issued by a trusted CA by checking the certificate chain up to a trusted root CA.
  • Validate each certificate in the chain and confirm none have been revoked.

4. Domain/Identity Verification

Check the Subject Alternative Name (SAN) or Common Name (CN) fields in the certificate to ensure they match the intended domain.

Libraries and Tools for SSL Verification

  • Python:
    • ssl and socket modules for TLS connections.
    • cryptography library for advanced certificate verification.
    • certifi and pyOpenSSL for trust chain and validity verification.
  • Java:
    • java.security and javax.net.ssl packages for built-in TLS management.
    • Bouncy Castle library for additional cryptographic features.
  • Node.js:
    • tls module for TLS connections.
    • crypto module for cryptographic operations.

Verifying an SSL Certificate in Python

Using the ssl and cryptography libraries in Python, you can verify a certificate as shown in this example:

import ssl
import socket
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.backends import default_backend
import datetime

def verify_ssl_certificate(hostname, port=443):
    # Establish a connection to retrieve the certificate
    context = ssl.create_default_context()
    with socket.create_connection((hostname, port)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            der_cert = ssock.getpeercert(binary_form=True)
    
    # Load the certificate
    cert = x509.load_der_x509_certificate(der_cert, default_backend())
    
    # Check validity period
    not_before = cert.not_valid_before
    not_after = cert.not_valid_after
    now = datetime.datetime.now()
    if not (not_before <= now <= not_after):
        print("Certificate is not within its validity period.")
        return False
    
    # Verify domain matches
    try:
        cert_subject_alt_name = cert.extensions.get_extension_for_oid(NameOID.COMMON_NAME).value
    except x509.ExtensionNotFound:
        cert_subject_alt_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
    if hostname not in str(cert_subject_alt_name):
        print("Certificate domain mismatch.")
        return False
    
    # Additional checks (e.g., certificate chain verification) would typically be handled by the TLS library
    return True

# Example usage
if verify_ssl_certificate('example.com'):
    print("SSL Certificate for example.com is valid.")
answered Nov 13 by CaLLmeDaDDY
• 6,540 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

How to become an Ethical Hacker?

Steps and Requirements for a Career in ...READ MORE

answered Oct 12, 2023 in Cyber Security & Ethical Hacking by Saniya
• 3,360 points
454 views
0 votes
0 answers

How to be an Ethical Hacker?

What steps and guidelines should one follow ...READ MORE

Dec 19, 2023 in Cyber Security & Ethical Hacking by Saniya
• 3,360 points
273 views
0 votes
1 answer

How to encrypt an SD card without the original device?

Yes, you can encrypt an SD card ...READ MORE

answered Nov 7 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,540 points
47 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,540 points
114 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
0 votes
1 answer

How to get an HTTPS certificate?

Securing communication between your application and its ...READ MORE

answered Nov 15 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,540 points
26 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP