Profile photo

from miller import blake

Hello, I'm a systems administrator, I get paid to be a software developer, I like Python, I'm a fan of good design, and I don't think things always have to be so stupid.
You can follow me @bltmiller, subscribe via RSS, and email me.

Sanpai – Inspect Subject Alternative Names on SSL Certificates

There are plenty of ways to inspect and work with SSL certificates, but I could not come across anything quick and easy that allows me to visually and programmatically inspect the contents of an SSL certificate’s SANs. Sure, I can bust out a nasty one-liner from the command line, but nothing beats the ease of a quick Python script.

My Bash one-liner would look something like (which lines up with what a few folks Stack Overflow came up with):

$ openssl x509 -in cert.pem -text | grep "DNS" | tr ',' '\n' | sed 's/DNS://'

and while that totally works, it lacks convenience. If you’re having to update your SANs regularly, it can be helpful to get a quick diff on the before/after change; ultimately, my laziness will always win out. So here’s Sanpai:

$ sanpai cert.pem
www.btmiller.com
subdomain.btmiller.com
*.btmiller.com
wewlad.btmiller.net
jeff.lebowski.dude
...
subdomain2.btmiller.com

The whole set of OpenSSL command line tools is great, but it’s just a little to unwiedly for my taste in a pinch. As mentioned earlier, when you’re updating your SANs regularly and want to validate the added/removed domains, add the second file to compare against with --diff. Example, confirm that jeff.lebowski.dude from the previous output is removed:

$ sanpai cert-old.pem --diff cert-new.pem
! www.btmiller.com
! subdomain.btmiller.com
! *.btmiller.com
! wewlad.btmiller.net
- jeff.lebowski.dude
  ...
! subdomain2.btmiller.com

Behind-the-scenes, Sanpai uses the awesome Python Cryptography package.

comments powered by Disqus

Copyright © 2016, Blake Miller. All rights reserved. | Sitemap · RSS