Description
This is a WPF tool that allows you to connect to remote web servers and examine SSL certificates.
The tool provides the following functionality:
- Validates the SSL certificate and validates all certificates in the chain for possible errors;
- Implements certificate expiration checking. Certificate expiration is checked for all certificates in the chain;
- The tool also checks certificates for all possible redirection URLs;
- Writes trace/debug log for each processed entry;
- Provides an ability to save a server list to a file and read the list from a file.
The tool requires .NET Framework 4.5.
Main Window
Main window contains a list of remote SSL/TLS servers and control buttons. There are three possible validation outcomes:
- Ok
Client was able to successfully connect to remote server over SSL/TLS and its certificate passed all validation checks based on current settings.
- Error
Client was either, not able to connect to remote server over SSL/TLS or its certificate failed certificate validation checks.
- Warning
Client was able to successfully connect to remote server over SSL/TLS and its certificate passed all validation checks, but its certificate is about to expire:
When selecting particular entry, a trace log with certificate details is shown. Right-click on remote server entry and selecting entry properties it is possible to configure proxy settings if necessary:
Certificate View
Additionally, there is certificate view which is located under Certificates tab:
Certificate view dialog shows certificate chain and errors. Native errors shows potential issues with selected certificate itself. Propagated errors show potential issues propagated from upper level certificates (intermediate CA certificates). The following image shows errors associated with a certificate that failed validation checks:
By pressing View Certificate button, a certificate UI dialog (provided by operating system) is shown.
HTML Report
After scan completion, you can save current application state to HTML report by clicking on a “Save HTML Report” toolbar button.
HTML report provides detailed information about every HTTP redirect, certificate chain, every certificate details and even full certificate in PEM format:
Script Automation
You can automate server automation using Windows PowerShell and create scheduled tasks to run scans on a regular basis:
PS C:\> Add-Type -Path "C:\Program Files\PKI Solutions\SSL Verifier\SSLVerifier.Core.dll" PS C:\> $server = New-Object SSLVerifier.Core.Default.ServerEntry "google.lv" PS C:\> $config = New-Object SSLVerifier.Core.Default.CertProcessorConfig PS C:\> $scanner = New-Object SSLVerifier.Core.Processor.CertProcessor $config PS C:\> $scanner.StartScan($server) PS C:\> $server ServerAddress : google.lv Port : 443 Proxy : SSLVerifier.Core.Default.ServerEntryProxy ItemStatus : Valid Log : SSLVerifier.Core.Default.ServerLogWriter SAN : {DNS Name=*.google.lv, DNS Name=*.google.com.lv, DNS Name=google.com.lv, DNS Name=google.lv...} ChainStatus : NoError Certificate : [Subject] CN=*.google.lv, O=Google LLC, L=Mountain View, S=California, C=US [Issuer] CN=GTS CA 1O1, O=Google Trust Services, C=US [Serial Number] 0096E49317B4886A040200000000726DC1 [Not Before] 2020.07.07. 11:14:00 [Not After] 2020.09.29. 11:14:00 [Thumbprint] 7F31CB3D7A6C4A28D2D5A7F96E7709C44D43CC97 Tree : {SSLVerifier.Core.Models.TreeNode`1[SSLVerifier.Core.IChainElement], SSLVerifier.Core.Models.TreeNode`1 [SSLVerifier.Core.IChainElement]} PS C:\> if ($server.ItemStatus -ne "Valid") { >> # perform required actions for failed scan. For example, send email alert >> } >> PS C:\>
Follow this post for more details.
Application Settings
Application contains several settings, which are invoked via Options -> Settings:
In this dialog, you can configure some validation options:
- Search Transparency Log
When enabled, searches for TLS certificate in public Certificate Transparency Logs.
- Strict EKU validation
When enabled, this option will require that entire certificate chain is valid for Server Authentication enhanced key usage. Otherwise, Server Authentication EKU is checked on leaf certificate only.
- Allow user trust
By default, certificate chains are built against trusted root CA store in machine context (local computer). Manually added trusted root CAs in current user store are not trusted by default.
- Require minimum RSA public key length
Enforces RSA public key length which must be equals or greater than specified value. This settings has effect only on RSA public keys. ECC (ellyptic curve cryptography) key length is not enforced.
- Protocol list
Specifies allowed SSL/TLS protocols. SSL Verifier Tool attempts to connect to remote server using the best protocol. If connection fails and there are other allowed protocols, they are attempted until connection succeeds or there are more allowed SSL/TLS protocols, otherwise, connection will fail.
- Invalidate weak signature algorithm
When enabled, specifies a set of disallowed signature algorithm for leaf and intermediate CA certificates. Signature algorithm list is not applied to root (presented in a self-signed form) are not checked.
Download Now
Ready to dive into the SSL Certificate Verifier Tool? Just fill out your information and click the ‘Download’ button to get started!