Managing SSL Certificates on your network can be challenging. As more and more software today uses encryption, you have more and more certificates you need to keep track of. These certificates can come in many shapes and forms which can make finding them difficult. They can be encoded in Base64 or DER, they can be in various key stores such as JKS stores or the windows certificate store, or they can be encrypted files somewhere on your file system. There is only one place where all certificates look the same no matter in which format they are stored – the network.
SSL Certificates over the network
Contrary to popular belief, when traffic between servers is encrypted using TLS or SSL, the certificates themselves are actually not encrypted. If you think about this, it isn’t too surprising. Before establishing a secure connection between a client and a server, the client needs to read the certificate information to make sure that it trusts the server. The full certificate information is sent over the network by the server to the client as part of the SSL Handshake protocol.
The format of this information is dictated by the SSL protocol which makes the data that is sent identical no matter how and where the certificate is actually stored on the server. We can use this to answer some basic questions for any SSL certificate:
- Which SSL certificates are actually in use – The fact that a certificate file exists somewhere on a server does not necessarily mean that certificate is actually being used. If it is sent over the network to a client, it is definitely in use.
- Where a certificate is being used – SSL certificates, especially those using wildcard common names, may be copied and used in more than one server. Using the serial number of a certificate, we can track all the servers use a specific certificate.
- When the certificate is expiring – One of the most important thing to keep track of with SSL certificates is when they expire. An expired certificate can break applications and can cause significant downtime until the certificate is found and replaced. Knowing ahead of time when a certificate will expire can save us from this.
How to find SSL Certificates using Wireshark
Wireshark is one of the more popular network protocol analyzers and it is available for free from https://www.wireshark.org/.
There are many different methods we can use to get network traffic for the relevant servers depending on the environment. For some examples, you can see our blog post on getting network traffic in VMware environments here: https://vnt-software.com/network-visibility-in-virtual-environments-1/.
Wireshark has advanced traffic filtering capabilities for finding the information we want. In our case, we can use the filter: tls.handshake.certificate. If needed, we can also filter out the servers based on subnets to exclude any certificates we may be getting from other servers that are not in our environment. This can be done using the filter:
tls.handshake.certificate && ip.src == [Subnet CIDR Notation]
Each of the packets returned by this filter should have SSL certificate information like the following: