As of late I’ve had to deal with a lot more SSL certificates and ensuring they’re setup properly.
That came with some problems. Creating a Certificate Signing Request (CSR) and installing/renewing a cert isn’t too difficult and browsing to the site afterward will generally let you know if it’s functional.
However, ensuring the certificate chain is setup correct and all intermediate certs are present is a different animal. Or getting flagged because the server isn’t PCI compliant dues to the SSL configuration.
After a lot research and trial and error I collected a few SSL certificate tools.
Here are the tools that I found to be very useful to help determine if everything is setup correct and secure. As I come across more/other tools I’ll amend this post.
Symantec offers this web tool that will let you check your certificate chain. Another tool on this site is that it also lets you check if your CSR is valid. Another cool thing about it is that this site even works if you have a SSL cert on a site that’s behind a firewall and can’t be scanned from the world wide web. When the site can’t reach the domain you want to check it launches a Java applet that runs the scan from your machine. It basically assumes that DNS must be setup within your network and you can hit the server on that domain from your machine. Pretty clever if you ask me and I already got a lot of use out of it.
Here is what it looks like when checking Google’s SSL cert:
Qualys offers a similar web based tool to not only check certificate chains, but also vulnerabilities on your server (like SSLv2 being enabled):
Here is a screenshot of checking Google’s SSL cert with the Qualys tool:
Now some of the things that are flagged as vulnerabilities will most likely require some registry changes. Some of them aren’t too difficult, but, assuming your web server runs Windows, I highly recommend IISCrypto.
It’s a more or less simple standalone Windows Forms app that reads your registry and allows you to change what you’re after (most of the time):
I hope this was helpful.
If you have other tools you use to identify and fix these types of problems please add a comment with some details below.