Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


In this Discussion

For those who install/work with SSL Certificates regularly (SSL Decoder, version 3)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

For those who install/work with SSL Certificates regularly (SSL Decoder, version 3)

I maintain a small SSL tool, https://ssldecoder.org. It allows you to paste a website URL or a certificate and get information about the connection and certificates (ciphersuites, heartbleed, protocols, certificate hashes, TLSA, handy copy pastable PEM's and DNS records). Sorta like SSL Labs, but this one is open source, faster and you can self host it.

I've just released version 3.0, which includes a nifty feature. If it detects a wrong certificate chain (missing, wrong order, wrong certificates), it automatically gives you the correct chain.

If you paste just one certificate, it also gives you the complete chain, in copy pastable PEM format.

See here for an example of one certificate: https://ssldecoder.org/results/saved.csr.1445715570.d92a0d3313fba450814d71020f3b6760.html

See here for an example of a chain in the wrong order: https://ssldecoder.org/results/saved.mijndigidentityeu.1445715975.332eaa4a8dd293126d764e71aefa4f18.html

See here for an example of a missing chain: https://ssldecoder.org/results/saved.mysterysnikkeircojp.1445716064.789905024eb5b32ad87f08a792789c0a.html

If you regularly install certificates from different suppliers, maybe because you're an MSP or support provider, this is a nice feature. Just because you can copy paste the PEM chain and be done.

It does this by checking the AuthorityInfoAccess SSL Extension if available, and getting the chain from there. Otherwise, it uses earlier saved certificates to construct the chain.

I'm still looking for tests with a cross-signed roots or other non-standard ssl installations, so please contact me if you know of some.

Also introduced is the "Fast check" option. It just shows the certificate and chain information, almost no remote calls. It improves the check time from about 10 to 15 seconds to less than 1 second.

More information and the source code can be downloaded here: https://github.com/RaymiiOrg/ssl-decoder

The tool can be used via this URL: https://ssldecoder.org

Tips, comments and suggestions are very welcome.

Comments

Sign In or Register to comment.