How does one inspect a digital certificate?

Report · Jun 29, 2009

Hi folks,

I've got the need to programmatically inspect a digital certificate for certain things (has it been revoked, has it expired, who is the issuer, etc.), but I don't know how to get a handle on the certificate in order to check these things.

I've been googling and trying various things for a couple of days now, but I'm not really getting anywhere. The best I've come up with is that I may need to use classes in java.security.cert, but I don't know how to use them. I've looked up the docs on them, but they're not helping too much. It kinda seems to me like java.security.cert classes are meant to create a digital certificate, and not to download one from a remote server so that I can inspect it.

Has anyone ever had to do this? How does one go about downloading a digital certificate in order to inspect it?

I kinda thought that if I did a cfhttp GET request, that I might get the certificate back to verify amongst the variables returned by cfhttp, but that didn't appear to be the case.

Please help! I'm really, really stuck and could use any help I can get.

I'm running ColdFusion 8 Standard Edition if that makes any difference.

Thanks,
Chris

Report · Jun 30, 2009

You need a bit of java. Try

<cfscript>
        port = 443;
        hostname = "yoursecuresiteurl";
        factory = createObject('java', 'javax.net.ssl.HttpsURLConnection').getDefaultSSLSocketFactory();
        socket = factory.createSocket(hostname, port);
        // Connect to the server
        socket.startHandshake();
        // Retrieve the server's certificate chain
        serverCerts = socket.getSession().getPeerCertificates();
        // Close the socket
        socket.close();
</cfscript>

cfdump #serverCerts# to see what methods are available - for instance <cfdump var="#serverCerts[1].getNotAfter()#"> will return the expiry date of the first certificate returned. At that point it's all about creating java objects and working with them, some of those methods return other objects that have methods of their own - but from this you should be able to gather all the info you want about the ssl certs on any server.

Hope that helps.

Report · Jun 30, 2009

Joe,

Thanks SO MUCH for your response. I'm having a slight difficulty with it, in that the url I'm supplying seems to cause an error:

java.net.UnknownHostException

So, now I'm unsure of what I'm doing wrong there. I've tried three different addresses, and none of them are working. I even tried putting in the address to my bank (https://www.bankofamerica.com/) but that returns the same error.

All I did was copy your code and paste it into an empty .cfm file and then replaced the appropriate parts. Here's my code:

<cfscript>
    port = 443;
    hostname = "https://pks.experian.com";
    factory = createObject('java', 'javax.net.ssl.HttpsURLConnection').getDefaultSSLSocketFactory();
    socket = factory.createSocket(hostname, port);
    // Connect to the server
    socket.startHandshake();
    // Retrieve the server's certificate chain
    serverCerts = socket.getSession().getPeerCertificates();
    // Close the socket
    socket.close();
</cfscript>

Though I *think* that this is the url that I'll want to use in the actual code. I just wasn't sure if having a query string on the end of the address mattered or not.

http://stg1.experian.com/lookupServlet1?lookupServiceName=AccessPoint&lookupServiceVersion=1.0&serviceName=NetConnectDemo&serviceVersion=2.0&responseType=text/plain

Though I tried the above url both with and without the query string (http://stg1.experian.com) with the exact same unknownHostException result.

Any more ideas?

Thanks again,

Chris

Report · Jun 30, 2009

You need to remove the 'https://' from your hostname, and use the root

site address, so:-

hostname = "pks.experian.com";

From there you should have dumpable information about the ssl cert.

Experimentation is the key!

Report · Jun 30, 2009

You Rock, Joe! That's just what I needed!

Thank you! Thank you! THANK YOU!!!

How does one inspect a digital certificate?

1 Correct answer