API Client Enhancement - Certs

Starting with version 4.20.1, the api client received an update to aide users in configuring and troubleshooting SSL certificates on their Axonius server. This article will go over the new commands at a high-level, as well as show more detailed examples of a few selected.

Commands

All of these commands are accessed through either:

> axonshell certs

or the equivalent python library functions.

If you want to work with the certificate that GUI presents to it's users:

  • gui-get - Get GUI certificate and export to a PEM file.
  • gui-info - Get GUI certificate basic info from the REST API.
  • gui-reset - Reset GUI certificate to default.
  • gui-update - Update GUI certificate from a PEM, PKCS7, or DER file.

These commands are for specifically working with the CA Certificate files on the axonius server:

  • ca-add - Add a CA Certificate from a file.
  • ca-enable - Enable/disable 'Use custom CA certificate' setting.
  • ca-remove - Remove a CA Certificate by filename.
  • ca-show - Show the current CA Certificates.

Working with CSRs can be done with these commands:

  • csr-cancel - Cancel a pending Certificate Signing Request.
  • csr-create - Create a Certificate Signing Request.
  • csr-get - Get the pending Certificate Signing Request.

Finally we added some utility commands for working with certificates directly both from a file and from a URL.

  • from-file - Display/convert certificates from a PEM, DER, or PKCS7 file.
  • from-url - Display/save certificates from a URL.

Example Usages

Updating the GUI Certificate

Let's take a look at what our server is currently using for the GUI certificate before we update it:

> axonshell certs gui-info
** Connected to 'https://10.2.3.4' version DEMO (RELEASE DATE: 2022-04-19) API Client v4.30.1

Issued To: axonius
Alternative Names: []
Issued By: US/New York/New York City/Axonius, Inc/axonius/contact@axonius.com
Sha1 Fingerprint: CF:3B:18:67:81:1F:20:64:CB:65:A6:23:A2:0C:B1:1A:2C:43:E4:89
Expires On: 2029-06-02 10:14:17+00:00

You can see that we are using a default self-signed certificate. We want to update this with a valid certificate (for the sake of the demo... another self-signed certificate) so the browser warning go away and it is inline with the rest of our enterprise.

❯ axonshell certs gui-update --host 1.2.3.4 --cert-file example_cert.crt --key-file example_cert.key
** Connected to 'https://10.2.3.4' version DEMO (RELEASE DATE: 2022-04-19) API Client v4.30.1

** Received 1 certificates from {'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}
** subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}

Certificate: subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}
View the details of the current certificate before replacing it? [Y/n]: n
Prompting disabled, not asking: Are you sure you want to replace this certificate?
** Received 1 certificates from {'path': PosixPath('/Users/some_user/example_cert/example_cert.crt'), 'method': 'from_content:pem'}
** subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, OU=axonius, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'path': PosixPath('/Users/some_user/example_cert/example_cert.crt'), 'method': 'from_content:pem'}

** ERROR: WRAPPED EXCEPTION: builtins.ValueError
Host '1.2.3.4' is not valid for this certificate
Valid hosts:
axonius

You will notice this failed. It failed because it looked at what I provided for --host and looked at the certificate to make sure it was valid. In this case it is not.

Let's do it again with a correct hostname for this server:

❯ axonshell certs gui-update --host axonius --cert-file example_cert.crt --key-file example_cert.key
** Connected to 'https://10.2.3.4' version DEMO (RELEASE DATE: 2022-04-19) API Client v4.30.1

** Received 1 certificates from {'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}
** subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}

Certificate: subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}
View the details of the current certificate before replacing it? [Y/n]: n
Prompting disabled, not asking: Are you sure you want to replace this certificate?
** Received 1 certificates from {'path': PosixPath('/Users/some_user/example_cert/example_cert.crt'), 'method': 'from_content:pem'}
** subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, OU=axonius, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'path': PosixPath('/Users/some_user/example_cert/example_cert.crt'), 'method': 'from_content:pem'}

** Host 'axonius' is valid for certificate, is one of: ['axonius']
Certificate: subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, OU=axonius, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'path': PosixPath('/Users/some_user/example_cert/example_cert.crt'), 'method': 'from_content:pem'}
View the details for this certificate [Y/n]: n
Prompting disabled, not asking: Please confirm that this certificate looks correct
** Uploading new certificate from /Users/some_user/example_cert/example_cert.crt
** Successfully uploaded new certificate from /Users/some_user/example_cert/example_cert.crt
** Received 1 certificates from {'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}
** subject='C=US, ST=New York, L=New York City, O=Axonius, Inc, OU=axonius, CN=axonius', chain_order=#1, chain_type='server/leaf/end-entity', source={'url': 'https://10.2.3.4:443', 'method': 'axonius_api_client.http.Http.get_cert_chain'}

update_env=False Not updating '/Users/some_user/.env' file with:
AX_CERTPATH="/Users/some_user/example_cert/example_cert.crt"

Ok so what just happened here? Lets go over it step-by-step:

  • First the client connected to the server and pulled down the current public certificate. It asked if we wanted to see the detailed output which I said no to so it showed a smaller overview instead.
  • It then checked that what was provided for --host was valid for the new certificate, which it was.
  • It then uploaded the new certificate to the server.
  • So we can verify, the client then pulls down the certificate the GUI is present to we can verify it is indeed correct.
  • It asked if we wanted to see the detailed output of the new certificate which I said no to so it showed a smaller overview instead.
  • The client then will try to update the client's config file for the path to the certificate. We didn't tell it to though so it skipped that change.

Pulling Certificate Details

To help users troubleshoot certificate issules, especially in more complex environments such as those that are doing SSL inspection, we added two tools that can pull a certificate down directly to allow users to easily look at the details. We are going to look at one of them --from-url.

This command will connect to a URL, pull down the certificate, and display it in an easily to understand manor. As an example, we will take a look at Google's certificate.

❯ axonshell certs from-url --url google.com
** Parsed google.com to UrlParser(scheme='https', netloc='google.com:443', hostname='google.com', port='443', path='', params='', query='', fragment='')

** Received 3 certificates from {'url': 'https://google.com:443', 'method': 'axonius_api_client.cert_human.stores.cert.Cert.from_requests_chain'}
** subject='CN=www.google.com', chain_order=#1, chain_type='server/leaf/end-entity', source={'url': 'https://google.com:443', 'method': 'axonius_api_client.cert_human.stores.cert.Cert.from_requests_chain'}
** subject='C=US, O=Google Trust Services LLC, CN=GTS CA 1C3', chain_order=#2, chain_type='intermediate/root CA', source={'url': 'https://google.com:443', 'method': 'axonius_api_client.cert_human.stores.cert.Cert.from_requests_chain'}
** subject='C=US, O=Google Trust Services LLC, CN=GTS Root R1', chain_order=#3, chain_type='intermediate/root CA', source={'url': 'https://google.com:443', 'method': 'axonius_api_client.cert_human.stores.cert.Cert.from_requests_chain'}


# EXTENSION: Key Usage ( 2.5.29.15 ) [CRITICAL: True]
  - Value                       : ['digital_signature']

# EXTENSION: Extended Key Usage ( 2.5.29.37 ) [CRITICAL: False]
  - Value                       : ['server_auth']

# EXTENSION: Basic Constraints ( 2.5.29.19 ) [CRITICAL: True]
  - Certificate Authority       : False
  - Path Length Constraint      : None

# EXTENSION: Subject Key Identifier ( 2.5.29.14 ) [CRITICAL: False]
  - Value                       : B3:D9:24:AA:E8:E7:41:AB:50:66:5B:4D:0C:00:F0:E6:40:F7:A5:87

# EXTENSION: Authority Key Identifier ( 2.5.29.35 ) [CRITICAL: False]
  - Key Identifier              : 8A:74:7F:AF:85:CD:EE:95:CD:3D:9C:D0:E2:46:14:F3:71:35:1D:27
  - Authority Cert Issuer       : None
  - Authority Cert Serial Number: None

# EXTENSION: Certificate Authority Information Access ( 1.3.6.1.5.5.7.1.1 ) [CRITICAL: False]
  - Item #1:
    - Access Method             : ocsp
    - Access Location           : http://ocsp.pki.goog/gts1c3
  - Item #2:
    - Access Method             : ca_issuers
    - Access Location           : http://pki.goog/repo/certs/gts1c3.der

# EXTENSION: Subject Alternative Name ( 2.5.29.17 ) [CRITICAL: False]
  - Value                       : ['www.google.com']

# EXTENSION: Certificate Policies ( 2.5.29.32 ) [CRITICAL: False]
  - Item #1:
    - Policy Identifier         : 2.23.140.1.2.1
    - Policy Qualifiers         : None
  - Item #2:
    - Policy Identifier         : 1.3.6.1.4.1.11129.2.5.3
    - Policy Qualifiers         : None

# EXTENSION: CRL Distribution Points ( 2.5.29.31 ) [CRITICAL: False]
  - Item #1:
    - Distribution Point        : ['http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl']
    - Reasons                   : None
    - CRL Issuer                : None

# EXTENSION: Embedded Signed Certificate Timestamp List ( 1.3.6.1.4.1.11129.2.4.2 ) [CRITICAL: False]
  - Item #1:
    - Operator Name             : Google
    - Operator Description      : Google 'Argon2022' log
    - Operator URL              : https://ct.googleapis.com/logs/argon2022/
    - Version                   : 1
    - Timestamp                 : 2022-04-11 06:43:42.435000
    - Log Key ID                : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
    - Signature                 : 30:45:02:20:4A:EC:A4:11:79:35:6F:47:44:6D:DA:86:45:20:77:83:AD:FF:63:52:5F:61:32:CF:50:83:6C:94:C8:AB:CF:11:02:21:00:A6:C0:9F:4E:3F:78:4E:72:0C:B4:4D:8B:CA:6B:0A:73:5E:88:4D:AF:5D:B2:D4:41:CB:7D:3F:96:A1:AD:0C:7A
    - Signature Algorithm       : ecdsa-with-SHA256
    - Extensions                :
  - Item #2:
    - Operator Name             : DigiCert
    - Operator Description      : DigiCert Nessie2022 Log
    - Operator URL              : https://nessie2022.ct.digicert.com/log/
    - Version                   : 1
    - Timestamp                 : 2022-04-11 06:43:42.444000
    - Log Key ID                : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:7A:CC:1B:27:CB:F7:9E:88:42:9A:0D:FE:D4:8B:05:E5
    - Signature                 : 30:45:02:20:2C:73:88:CA:35:E6:C9:B2:7E:95:16:23:C9:EC:AA:DA:BE:68:DB:96:60:DE:BA:DB:5C:4E:1A:89:47:F7:4D:67:02:21:00:A0:16:5C:F1:32:92:64:21:CF:A3:7C:94:85:36:72:B3:37:F6:4A:05:4F:B0:20:7D:5C:B6:09:D8:4F:A9:7C:57
    - Signature Algorithm       : ecdsa-with-SHA256
    - Extensions                :

# PUBLIC_KEY
  - Key                         : 04:AB:0E:20:19:04:9A:90:A4:E1:65:66:A2:43:1D:3E:51:2E:DA:8E:91:CD:26:AC:DF:E2:A7:95:5D:C5:D5:C9:04:6C:D5:45:1A:0D:82:B4:A2:A9:3B:A7:32:AD:78:BE:9E:5F:69:27:12:FE:04:44:47:54:86:D1:38:32:58:11:24
  - Bit Size                    : 256
  - Byte Size                   : 32
  - Algorithm                   : ec
  - Parameters                  : secp256r1
  - Signature                   : EC:86:A7:E0:16:D7:CB:53:C3:74:A3:AC:FF:AC:40:73:92:B5:03:31:84:CE:C2:92:8B:1D:BC:9F:BE:89:14:9C:D5:34:E5:C5:D1:03:9C:48:D9:F0:47:18:E9:6E:21:DC:F9:BE:02:9E:F9:12:92:58:F4:3D:DE:0A:A3:44:70:08:FC:DB:CC:3F:CA:62:8B:FE:73:EA:1D:B4:C2:A4:12:5A:30:0C:D4:A6:EA:B9:54:9A:E9:E3:9C:5E:EE:31:6F:8F:15:B0:B1:B3:82:BF:10:88:55:E6:D5:D8:B8:A3:AA:F4:85:15:46:3E:31:27:7C:E4:B6:45:C8:E7:05:C0:93:DC:6A:0E:52:81:D1:A7:61:41:CC:78:89:3C:09:53:6F:CD:1D:29:EA:F5:02:B8:59:6C:E3:D2:06:EB:71:DA:E6:93:C5:7D:AF:91:AA:6F:65:0F:1C:13:C1:F8:37:D3:73:C2:2F:C8:AF:F7:68:77:49:FD:C9:97:25:90:63:35:FD:B8:F3:0C:8F:D7:DC:78:99:A0:6F:D3:69:0D:0D:11:8C:27:2D:DA:0D:BC:D2:BE:96:10:6E:35:A4:96:CA:68:63:ED:92:32:3B:18:12:00:1B:2D:3C:F9:71:86:79:FB:F8:2E:34:B7:7F:99:A2:68:95:98:E3:2D:9D:F6:A4:3E:37:B9
  - Signature Algorithm         : rsassa_pkcs1v15
  - Serial Number               : 50:69:89:19:16:59:07:17:0A:54:D0:54:F5:95:1D:3B

# FINGERPRINTS
  - SHA256                      : 02:F9:EC:93:15:EF:F8:08:93:59:89:DB:A9:81:04:46:85:AB:18:C8:2D:4B:D9:5D:FB:C4:96:88:15:C1:BD:C1
  - SHA1                        : B3:D9:24:AA:E8:E7:41:AB:50:66:5B:4D:0C:00:F0:E6:40:F7:A5:87

# ISSUER
  - Country Name                : US
  - Organization Name           : Google Trust Services LLC
  - Common Name                 : GTS CA 1C3

# SUBJECT
  - Common Name                 : www.google.com

# DETAILS
  - Type                        : CERTIFICATE
  - Version                     : 3
  - Subject Alternative Names   : ['www.google.com']
  - Is Certificate Authority    : False
  - Is Self Signed              : no
  - Is Self Issued              : False
  - Is Expired                  : False
  - Not Valid Before            : 2022-04-11 09:43:41+00:00
  - Not Valid After             : 2022-07-04 09:43:40+00:00
  - Issuer Short Form           : C=US, O=Google Trust Services LLC, CN=GTS CA 1C3
  - Subject Short Form          : CN=www.google.com

# SOURCE
  - Chain Order                 : 1
  - Chain Type                  : server/leaf/end-entity
  - URL                         : https://google.com:443
  - Method                      : axonius_api_client.cert_human.stores.cert.Cert.from_requests_chain

--------------------------------------------------------------------------------
# EXTENSION: Key Usage ( 2.5.29.15 ) [CRITICAL: True]
  - Value                       : ['digital_signature', 'key_cert_sign', 'crl_sign']

# EXTENSION: Extended Key Usage ( 2.5.29.37 ) [CRITICAL: False]
  - Value                       : ['server_auth', 'client_auth']

# EXTENSION: Basic Constraints ( 2.5.29.19 ) [CRITICAL: True]
  - Certificate Authority       : True
  - Path Length Constraint      : 0

# EXTENSION: Subject Key Identifier ( 2.5.29.14 ) [CRITICAL: False]
  - Value                       : 8A:74:7F:AF:85:CD:EE:95:CD:3D:9C:D0:E2:46:14:F3:71:35:1D:27

# EXTENSION: Authority Key Identifier ( 2.5.29.35 ) [CRITICAL: False]
  - Key Identifier              : E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E
  - Authority Cert Issuer       : None
  - Authority Cert Serial Number: None

# EXTENSION: Certificate Authority Information Access ( 1.3.6.1.5.5.7.1.1 ) [CRITICAL: False]
  - Item #1:
    - Access Method             : ocsp
    - Access Location           : http://ocsp.pki.goog/gtsr1
  - Item #2:
    - Access Method             : ca_issuers
    - Access Location           : http://pki.goog/repo/certs/gtsr1.der

# EXTENSION: CRL Distribution Points ( 2.5.29.31 ) [CRITICAL: False]
  - Item #1:
    - Distribution Point        : ['http://crl.pki.goog/gtsr1/gtsr1.crl']
    - Reasons                   : None
    - CRL Issuer                : None

# EXTENSION: Certificate Policies ( 2.5.29.32 ) [CRITICAL: False]
  - Item #1:
    - Policy Identifier         : 1.3.6.1.4.1.11129.2.5.3
    - Policy Qualifiers Item #1:
      - Policy Qualifier ID     : certification_practice_statement
      - Qualifier               : https://pki.goog/repository/
  - Item #2:
    - Policy Identifier         : 2.23.140.1.2.1
    - Policy Qualifiers         : None
  - Item #3:
    - Policy Identifier         : 2.23.140.1.2.2
    - Policy Qualifiers         : None

# PUBLIC_KEY
  - Key                         : F5:88:DF:E7:62:8C:1E:37:F8:37:42:90:7F:6C:87:D0:FB:65:82:25:FD:E8:CB:6B:A4:FF:6D:E9:5A:23:E2:99:F6:1C:E9:92:03:99:13:7C:09:0A:8A:FA:42:D6:5E:56:24:AA:7A:33:84:1F:D1:E9:69:BB:B9:74:EC:57:4C:66:68:93:77:37:55:53:FE:39:10:4D:B7:34:BB:5F:25:77:37:3B:17:94:EA:3C:E5:9D:D5:BC:C3:B4:43:EB:2E:A7:47:EF:B0:44:11:63:D8:B4:41:85:DD:41:30:48:93:1B:BF:B7:F6:E0:45:02:21:E0:96:42:17:CF:D9:2B:65:56:34:07:26:04:0D:A8:FD:7D:CA:2E:EF:EA:48:7C:37:4D:3F:00:9F:83:DF:EF:75:84:2E:79:57:5C:FC:57:6E:1A:96:FF:FC:8C:9A:A6:99:BE:25:D9:7F:96:2C:06:F7:11:2A:02:80:80:EB:63:18:3C:50:49:87:E5:8A:CA:5F:19:2B:59:96:81:00:A0:FB:51:DB:CA:77:0B:0B:C9:96:4F:EF:70:49:C7:5C:6D:20:FD:99:B4:B4:E2:CA:2E:77:FD:2D:DC:0B:B6:6B:13:0C:8C:19:2B:17:96:98:B9:F0:8B:F6:A0:27:BB:B6:E3:8D:51:8F:BD:AE:C7:9B:B1:89:9D
  - Bit Size                    : 2048
  - Byte Size                   : 256
  - Algorithm                   : rsa
  - Parameters                  : None
  - Exponent                    : 65537
  - Signature                   : 89:7D:AC:20:5C:0C:3C:BE:9A:A8:57:95:1B:B4:AE:FA:AB:A5:72:71:B4:36:95:FD:DF:40:11:03:4C:C2:46:14:BB:14:24:AB:F0:50:71:22:DB:AD:C4:6E:7F:CF:F1:6A:6F:C8:83:1B:D8:CE:89:5F:87:6C:87:B8:A9:0C:A3:9B:A1:62:94:93:95:DF:5B:AE:66:19:0B:02:96:9E:FC:B5:E7:10:69:3E:7A:CB:46:49:5F:46:E1:41:B1:D7:98:4D:65:34:00:80:1A:3F:4F:9F:6C:7F:49:00:81:53:41:A4:92:21:82:82:1A:F1:A3:44:5B:2A:50:12:13:4D:C1:53:36:F3:42:08:AF:54:FA:8E:77:53:1B:64:38:27:17:09:BD:58:C9:1B:7C:39:2D:5B:F3:CE:D4:ED:97:DB:14:03:BF:09:53:24:1F:C2:0C:04:79:98:26:F2:61:F1:53:52:FD:42:8C:1B:66:2B:3F:15:A1:BB:FF:F6:9B:E3:81:9A:01:06:71:89:35:28:24:DD:E1:BD:EB:19:2D:E1:48:CB:3D:59:83:51:B4:74:C6:9D:7C:C6:B1:86:5B:AF:CC:34:C4:D3:CC:D4:81:11:95:00:A1:F4:12:22:01:FA:B4:83:71:AF:8C:B7:8C:73:24:AC:37:53:C2:00:90:3F:11:FE:5C:ED:36:94:10:3B:BD:29:AE:E2:C7:3A:62:3B:6C:63:D9:80:BF:59:71:AC:63:27:B9:4C:17:A0:DA:F6:73:15:BF:2A:DE:8F:F3:A5:6C:32:81:33:03:D0:86:51:71:99:34:BA:93:8D:5D:B5:51:58:F7:B2:93:E8:01:F6:59:BE:71:9B:FD:4D:28:CE:CF:6D:C7:16:DC:F7:D1:D6:46:9B:A7:CA:6B:E9:77:0F:FD:A0:B6:1B:23:83:1D:10:1A:D9:09:00:84:E0:44:D3:A2:75:23:B3:34:86:F6:20:B0:A4:5E:10:1D:E0:52:46:00:9D:B1:0F:1F:21:70:51:F5:9A:DD:06:FC:55:F4:2B:0E:33:77:C3:4B:42:C2:F1:77:13:FC:73:80:94:EB:1F:BB:37:3F:CE:02:2A:66:B0:73:1D:32:A5:32:6C:32:B0:8E:E0:C4:23:FF:5B:7D:4D:65:70:AC:2B:9B:3D:CE:DB:E0:6D:8E:32:80:BE:96:9F:92:63:BC:97:BB:5D:B9:F4:E1:71:5E:2A:E4:EF:03:22:B1:8A:65:3A:8F:C0:93:65:D4:85:CD:0F:0F:5B:83:59:16:47:16:2D:9C:24:3A:C8:80:A6:26:14:85:9B:F6:37:9B:AC:6F:F9:C5:C3:06:51:F3:E2:7F:C5:B1:10:BA:51:F4:DD
  - Signature Algorithm         : rsassa_pkcs1v15
  - Serial Number               : 02:03:BC:53:59:6B:34:C7:18:F5:01:50:66

# FINGERPRINTS
  - SHA256                      : 51:BF:F8:F1:B5:7E:81:4C:A0:1D:B0:F7:0B:C8:8B:33:14:F3:22:C9:E8:29:4C:64:7A:40:07:42:3A:0A:34:E1
  - SHA1                        : 8A:74:7F:AF:85:CD:EE:95:CD:3D:9C:D0:E2:46:14:F3:71:35:1D:27

# ISSUER
  - Country Name                : US
  - Organization Name           : Google Trust Services LLC
  - Common Name                 : GTS Root R1

# SUBJECT
  - Country Name                : US
  - Organization Name           : Google Trust Services LLC
  - Common Name                 : GTS CA 1C3

# DETAILS
  - Type                        : CERTIFICATE
  - Version                     : 3
  - Is Certificate Authority    : True
  - Is Self Signed              : no
  - Is Self Issued              : False
  - Is Expired                  : False
  - Not Valid Before            : 2020-08-13 00:00:42+00:00
  - Not Valid After             : 2027-09-30 00:00:42+00:00
  - Issuer Short Form           : C=US, O=Google Trust Services LLC, CN=GTS Root R1
  - Subject Short Form          : C=US, O=Google Trust Services LLC, CN=GTS CA 1C3

# SOURCE
  - Chain Order                 : 2
  - Chain Type                  : intermediate/root CA
  - URL                         : https://google.com:443
  - Method                      : axonius_api_client.cert_human.stores.cert.Cert.from_requests_chain

--------------------------------------------------------------------------------
# EXTENSION: Key Usage ( 2.5.29.15 ) [CRITICAL: True]
  - Value                       : ['digital_signature', 'key_cert_sign', 'crl_sign']

# EXTENSION: Basic Constraints ( 2.5.29.19 ) [CRITICAL: True]
  - Certificate Authority       : True
  - Path Length Constraint      : None

# EXTENSION: Subject Key Identifier ( 2.5.29.14 ) [CRITICAL: False]
  - Value                       : E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E

# EXTENSION: Authority Key Identifier ( 2.5.29.35 ) [CRITICAL: False]
  - Key Identifier              : 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
  - Authority Cert Issuer       : None
  - Authority Cert Serial Number: None

# EXTENSION: Certificate Authority Information Access ( 1.3.6.1.5.5.7.1.1 ) [CRITICAL: False]
  - Item #1:
    - Access Method             : ocsp
    - Access Location           : http://ocsp.pki.goog/gsr1
  - Item #2:
    - Access Method             : ca_issuers
    - Access Location           : http://pki.goog/gsr1/gsr1.crt

# EXTENSION: CRL Distribution Points ( 2.5.29.31 ) [CRITICAL: False]
  - Item #1:
    - Distribution Point        : ['http://crl.pki.goog/gsr1/gsr1.crl']
    - Reasons                   : None
    - CRL Issuer                : None

# EXTENSION: Certificate Policies ( 2.5.29.32 ) [CRITICAL: False]
  - Item #1:
    - Policy Identifier         : 2.23.140.1.2.1
    - Policy Qualifiers         : None
  - Item #2:
    - Policy Identifier         : 2.23.140.1.2.2
    - Policy Qualifiers         : None
  - Item #3:
    - Policy Identifier         : 1.3.6.1.4.1.11129.2.5.3.2
    - Policy Qualifiers         : None
  - Item #4:
    - Policy Identifier         : 1.3.6.1.4.1.11129.2.5.3.3
    - Policy Qualifiers         : None

# PUBLIC_KEY
  - Key                         : B6:11:02:8B:1E:E3:A1:77:9B:3B:DC:BF:94:3E:B7:95:A7:40:3C:A1:FD:82:F9:7D:32:06:82:71:F6:F6:8C:7F:FB:E8:DB:BC:6A:2E:97:97:A3:8C:4B:F9:2B:F6:B1:F9:CE:84:1D:B1:F9:C5:97:DE:EF:B9:F2:A3:E9:BC:12:89:5E:A7:AA:52:AB:F8:23:27:CB:A4:B1:9C:63:DB:D7:99:7E:F0:0A:5E:EB:68:A6:F4:C6:5A:47:0D:4D:10:33:E3:4E:B1:13:A3:C8:18:6C:4B:EC:FC:09:90:DF:9D:64:29:25:23:07:A1:B4:D2:3D:2E:60:E0:CF:D2:09:87:BB:CD:48:F0:4D:C2:C2:7A:88:8A:BB:BA:CF:59:19:D6:AF:8F:B0:07:B0:9E:31:F1:82:C1:C0:DF:2E:A6:6D:6C:19:0E:B5:D8:7E:26:1A:45:03:3D:B0:79:A4:94:28:AD:0F:7F:26:E5:A8:08:FE:96:E8:3C:68:94:53:EE:83:3A:88:2B:15:96:09:B2:E0:7A:8C:2E:75:D6:9C:EB:A7:56:64:8F:96:4F:68:AE:3D:97:C2:84:8F:C0:BC:40:C0:0B:5C:BD:F6:87:B3:35:6C:AC:18:50:7F:84:E0:4C:CD:92:D3:20:E9:33:BC:52:99:AF:32:B5:29:B3:25:2A:B4:48:F9:72:E1:CA:64:F7:E6:82:10:8D:E8:9D:C2:8A:88:FA:38:66:8A:FC:63:F9:01:F9:78:FD:7B:5C:77:FA:76:87:FA:EC:DF:B1:0E:79:95:57:B4:BD:26:EF:D6:01:D1:EB:16:0A:BB:8E:0B:B5:C5:C5:8A:55:AB:D3:AC:EA:91:4B:29:CC:19:A4:32:25:4E:2A:F1:65:44:D0:02:CE:AA:CE:49:B4:EA:9F:7C:83:B0:40:7B:E7:43:AB:A7:6C:A3:8F:7D:89:81:FA:4C:A5:FF:D5:8E:C3:CE:4B:E0:B5:D8:B3:8E:45:CF:76:C0:ED:40:2B:FD:53:0F:B0:A7:D5:3B:0D:B1:8A:A2:03:DE:31:AD:CC:77:EA:6F:7B:3E:D6:DF:91:22:12:E6:BE:FA:D8:32:FC:10:63:14:51:72:DE:5D:D6:16:93:BD:29:68:33:EF:3A:66:EC:07:8A:26:DF:13:D7:57:65:78:27:DE:5E:49:14:00:A2:00:7F:9A:A8:21:B6:A9:B1:95:B0:A5:B9:0D:16:11:DA:C7:6C:48:3C:40:E0:7E:0D:5A:CD:56:3C:D1:97:05:B9:CB:4B:ED:39:4B:9C:C4:3F:D2:55:13:6E:24:B0:D6:71:FA:F4:C1:BA:CC:ED:1B:F5:FE:81:41:D8:00:98:3D:3A:C8:AE:7A:98:37:18:05:95
  - Bit Size                    : 4096
  - Byte Size                   : 512
  - Algorithm                   : rsa
  - Parameters                  : None
  - Exponent                    : 65537
  - Signature                   : 34:A4:1E:B1:28:A3:D0:B4:76:17:A6:31:7A:21:E9:D1:52:3E:C8:DB:74:16:41:88:B8:3D:35:1D:ED:E4:FF:93:E1:5C:5F:AB:BB:EA:7C:CF:DB:E4:0D:D1:8B:57:F2:26:6F:5B:BE:17:46:68:94:37:6F:6B:7A:C8:C0:18:37:FA:25:51:AC:EC:68:BF:B2:C8:49:FD:5A:9A:CA:01:23:AC:84:80:2B:02:8C:99:97:EB:49:6A:8C:75:D7:C7:DE:B2:C9:97:9F:58:48:57:0E:35:A1:E4:1A:D6:FD:6F:83:81:6F:EF:8C:CF:97:AF:C0:85:2A:F0:F5:4E:69:09:91:2D:E1:68:B8:C1:2B:73:E9:D4:D9:FC:22:C0:37:1F:0B:66:1D:49:ED:02:55:8F:67:E1:32:D7:D3:26:BF:70:E3:3D:F4:67:6D:3D:7C:E5:34:88:E3:32:FA:A7:6E:06:6A:6F:BD:8B:91:EE:16:4B:E8:3B:A9:B3:37:E7:C3:44:A4:7E:D8:6C:D7:C7:46:F5:92:9B:E7:D5:21:BE:66:92:19:94:55:6C:D4:29:B2:0D:C1:66:5B:E2:77:49:48:28:ED:9D:D7:1A:33:72:53:B3:82:35:CF:62:8B:C9:24:8B:A5:B7:39:0C:BB:7E:2A:41:BF:52:CF:FC:A2:96:B6:C2:82:3F
  - Signature Algorithm         : rsassa_pkcs1v15
  - Serial Number               : 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D

# FINGERPRINTS
  - SHA256                      : 94:AF:08:AC:6B:BE:62:BD:DB:9E:E8:83:9F:18:B9:91:29:06:91:C0:B3:5D:B2:65:1B:58:D9:8B:6A:4B:EA:38
  - SHA1                        : E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E

# ISSUER
  - Country Name                : BE
  - Organization Name           : GlobalSign nv-sa
  - Organizational Unit Name    : Root CA
  - Common Name                 : GlobalSign Root CA

# SUBJECT
  - Country Name                : US
  - Organization Name           : Google Trust Services LLC
  - Common Name                 : GTS Root R1

# DETAILS
  - Type                        : CERTIFICATE
  - Version                     : 3
  - Is Certificate Authority    : True
  - Is Self Signed              : no
  - Is Self Issued              : False
  - Is Expired                  : False
  - Not Valid Before            : 2020-06-19 00:00:42+00:00
  - Not Valid After             : 2028-01-28 00:00:42+00:00
  - Issuer Short Form           : C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
  - Subject Short Form          : C=US, O=Google Trust Services LLC, CN=GTS Root R1

# SOURCE
  - Chain Order                 : 3
  - Chain Type                  : intermediate/root CA
  - URL                         : https://google.com:443
  - Method                      : axonius_api_client.cert_human.stores.cert.Cert.from_requests_chain
** Wrote 3 certificates in str format to STDOUT

Ok so what did this do?

  • It requested the certificate from google.com. 
  • Saw that there were two other certificates as part of the trust chain and pulled all three certificates down.
  • Then, do to what command we used, displayed all the information for all three certificates to STDOUT.

This provides an easy way to check the details of the full certificate chain to make sure the expected result is the actual result.

0

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post