SSL Certificate Scanner Guide: Find Expired, Misconfigured, and Weak Certs
Keeping TLS/SSL certificates healthy is essential for secure web connections, avoiding browser warnings, and maintaining customer trust. This guide explains how SSL certificate scanners work, what they look for, and how to find and fix expired, misconfigured, and weak certificates across your infrastructure.
What an SSL certificate scanner does
- Discovery: Enumerates hosts, domains, subdomains, and services (HTTPS, SMTP, IMAPS, etc.).
- Collection: Retrieves server certificates and certificate chains.
- Validation: Checks expiration dates, chain validity, and hostname matching.
- Configuration analysis: Examines TLS versions, cipher suites, OCSP/CRL settings, and HSTS configuration.
- Vulnerability checks: Detects weak keys, short RSA key lengths, weak ciphers (e.g., RC4), and known TLS vulnerabilities (e.g., Heartbleed-era issues).
- Reporting: Produces inventories, alerts for expiring certificates, and remediation steps.
Key checks to run
- Expiration and validity
- Identify certificates nearing expiry (common thresholds: 30, 14, 7 days).
- Flag already expired certificates.
- Chain and trust
- Ensure the full chain is present and anchored to a trusted root.
- Detect missing intermediate certificates or chains signed by untrusted CAs.
- Hostname matching
- Verify certificate SANs/include the hostname and subdomains in use.
- Key strength
- Check key algorithms and sizes (recommendation: RSA ≥ 2048 bits, or use ECDSA with secure curves like P-256/P-384).
- Cipher suite and protocol support
- Disable TLS 1.0/1.1; prefer TLS 1.2+ and TLS 1.3.
- Flag weak ciphers and insecure modes (e.g., NULL, EXPORT, RC4).
- Certificate transparency and CA checks
- Look up SCTs (Signed Certificate Timestamps) on public logs for public-facing certificates.
- Detect certificates issued by suspicious or deprecated CAs.
- OCSP/CRL revocation
- Verify OCSP stapling and CRL accessibility; flag soft-fail configurations.
- Configuration best practices
- Check HSTS presence and proper max-age.
- Ensure secure session resumption settings and secure renegotiation.
- TLS-related vulnerabilities
- Test for known issues like BEAST, POODLE (legacy), and for Heartbleed-era OpenSSL problems where applicable.
How to scan: practical steps
- Inventory assets
- Compile domains, subdomains, IP ranges, mail servers, load balancers, and API endpoints.
- Include internal resources accessible only over VPN.
- Choose a scanner
- Options: open-source (e.g., testssl.sh, OpenSSL + scripts, sslscan), security tools (e.g., Qualys SSL Labs for external checks), or commercial enterprise scanners with scheduling and alerts.
- For large environments, choose a scanner that supports automation, APIs, and integration with ticketing systems.
- Set scan scope and cadence
- External public-facing: daily to weekly.
- Internal or slower-changing: weekly to monthly.
- Critical services: daily.
- Run scans safely
- Stagger scans to avoid overloading servers.
- Use authenticated scans for internal systems if supported.
- Analyze results
- Prioritize by expiry date, critical services, and severity of misconfiguration.
- Combine scanner findings with asset ownership to route remediations.
- Remediate
- Renew certificates before expiry; automate renewal (ACME/Let’s Encrypt or enterprise CA automation).
- Deploy missing intermediates.
- Reconfigure TLS settings to remove weak ciphers and enable secure protocols.
- Replace weak keys or reissue certificates with stronger algorithms.
- Automate and monitor
- Integrate scanning into CI/CD pipelines and monitoring systems.
- Use alerting for certificates approaching expiry and for high-severity configuration issues.
Sample scanning tools and when to use them
| Tool | Best for | Notes |
|---|---|---|
| testssl.sh | Quick, scriptable checks from a Linux host | Good for ad-hoc and CI use |
| sslscan | Fast cipher and protocol enumeration | Lightweight, CLI-friendly |
| OpenSSL sclient | Manual inspection and troubleshooting | Low-level, flexible |
| Qualys SSL Labs | External public-facing site grading | Comprehensive report, public-facing only |
| LetsEncrypt/ACME clients | Automated issuance/renewal | Use with automation for public certs |
| Commercial scanners (e.g., Venafi, DigiCert, Tenable) | Enterprise inventory, automation, compliance | Useful for large environments and reporting |
Prioritization matrix for fixes
- Immediate (0–7 days): Already expired certs, services failing validation, broken chains on public endpoints.
- High (7–30 days): Certificates expiring soon, weak RSA keys (<2048), OCSP/CRL failures for critical services.
- Medium (1–3 months): TLS 1.0/1.1 enabled, weak ciphers allowed.
- Low (3+ months): HSTS/additional hardening, transparency log checks.
Example remediation commands
- Check a remote certificate quickly:
Code
openssl sclient -connect example.com:443 -servername example.com -showcerts
- Test TLS versions and ciphers:
Code
testssl.sh –fast example.com
Checklist to include in runbooks
- Inventory updated with owner and renewal process
- Automated renewal configured where possible
- Alerts for expiring certificates (30/14/7 days)
- Staging and production validation before deployment
- Periodic full scans and ad-hoc scans after configuration changes
Final recommendations
- Automate renewals using ACME or enterprise tooling.
- Run both external and internal scans on a regular schedule.
- Integrate scanner outputs with ticketing and monitoring for timely remediation.
- Keep TLS libraries and server software updated.
Leave a Reply