How To Locate SSL Certificate On Server?

It can be difficult to keep track of SSL certificates on your network. As more software uses encryption, you’ll have an increasing number of certificates to keep track of. These certificates can come in a variety of shapes and sizes, making it difficult to locate them. They can be encoded in Base64 or DER, stored in various key stores like JKS or the Windows certificate store, or stored as encrypted files on your file system. The network is the one place where all certificates look the same, regardless of the format in which they are stored.

The certificates themselves are not encrypted when traffic between servers is encrypted using TLS or SSL, contrary to popular belief. It’s not shocking when you think about it. Before establishing a secure connection between a client and a server, the client must verify that the server is trustworthy by reading the certificate information. As part of the SSL Handshake protocol, the server sends the client the complete certificate information over the network.

The SSL protocol dictates the format of this data, ensuring that the data sent is identical regardless of how and where the certificate is actually stored on the server. We can use this to answer some simple SSL certificate questions:

The presence of a certificate file on a server does not necessarily imply that the certificate is being used. It is definitely in use if it is sent over the network to a client.

Where SSL certificates are used – SSL certificates, particularly those with wildcard common names, can be duplicated and used on several servers. We can trace all the servers that use a specific certificate by using the serial number of the certificate.

When your certificate is about to expire – When it comes to SSL certificates, one of the most crucial things to keep track of is when they expire. A broken application caused by an expired certificate might cause severe downtime until the certificate is identified and restored. Knowing when a certificate will expire in advance will help us avoid this.

Depending on the context, we can use a variety of approaches to obtain network traffic for the required servers. Our blog post on getting network traffic in VMware environments can be found here: https://vnt-software.com/network-visibility-in-virtual-environments-1/ for several examples.

Wireshark provides advanced traffic filtering capabilities that help us find what we’re looking for. We can use the filter tools.handshake.certificate in our situation. We can even filter out servers based on subnets if necessary to avoid receiving certificates from servers that aren’t in our environment. This can be accomplished by using the following filter:

The SSL certificate information should be included in each of the packets returned by this filter:

We may find information about the certificate’s validity, subject, algorithm, and other features in the certificate details. In the Source field of the Internet Protocol header and the Source Port of the Transmission Control Protocol header, we can tell which server it is on and what port it is listening on. This data will assist us in locating the certificate file on the server.

Once we know the certificate’s server and port, we may try to figure out where the certificate is stored.

Connect to the server through RDP for Windows or SSH for Linux, and use the netstat command to see which processes are listening on the port we discovered before (change Port Number> with the port we discovered earlier):

The process id of the process listening on that port will be displayed in the rightmost column on both operating systems.

Once you’ve identified the process, you may use task manager on Windows or the ps -ef command on Linux to identify it, and then combine that information with the documentation for whatever service is running to find the configuration file that points to the SSL certificate file.

It can be difficult to locate SSL Certificates to manage or upgrade them. We’ve demonstrated an alternative method for locating and tracking the use of these certificates. We can use the solution to locate the certificates in use on numerous servers at once because it is based on network traffic. We don’t have to execute or install anything on those servers. We can get the details on the certificates if we can get the network traffic for those servers. Furthermore, this method will work for locating SSL certificates on non-standard ports, not simply port 443 (which is typically used for HTTPS communication).