SSL Certificates over the network
contrary to popular impression, when dealings between servers is encrypted using TLS or SSL, the certificates themselves are actually not encrypted. If you think about this, it isn ’ t besides surprise. Before establishing a impregnable connection between a client and a waiter, the client needs to read the certificate data to make certain that it trusts the server. The full certificate information is sent over the network by the server to the node as part of the SSL Handshake protocol .
The format of this information is dictated by the SSL protocol which makes the data that is air identical no matter how and where the certificate is actually stored on the server. We can use this to answer some basic questions for any SSL security :
- Which SSL certificates are actually in use – The fact that a certificate file exists somewhere on a server does not necessarily mean that certificate is actually being used. If it is sent over the network to a client, it is definitely in use.
- Where a certificate is being used – SSL certificates, especially those using wildcard common names, may be copied and used in more than one server. Using the serial number of a certificate, we can track all the servers use a specific certificate.
- When the certificate is expiring – One of the most important thing to keep track of with SSL certificates is when they expire. An expired certificate can break applications and can cause significant downtime until the certificate is found and replaced. Knowing ahead of time when a certificate will expire can save us from this.
(Need to find and manage all your SSL certificates? Gain visibility into your entire IT environment with our simple discovery and mapping platform. Start a free trial or see a demo right now!)
How to find SSL Certificates using Wireshark
Wireshark is one of the more popular network protocol analyzers and it is available for loose from hypertext transfer protocol : //www.wireshark.org/.
There are many different methods we can use to get network traffic for the relevant servers depending on the environment. For some examples, you can see our web log post on getting net traffic in VMware environments here : hypertext transfer protocol : //thefartiste.com/network-visibility-in-virtual-environments-1/.
Wireshark has advanced traffic filtering capabilities for finding the information we want. In our case, we can use the trickle : tls.handshake.certificate. If needed, we can besides filter out the servers based on subnets to exclude any certificates we may be getting from other servers that are not in our environment. This can be done using the filter :
tls.handshake.certificate & & ip.src == [ Subnet CIDR Notation ] Each of the packets returned by this trickle should have SSL certificate information like the watch :