SecureTransport - SSL Certificate Checker


SecureTransport has its own built in certificate authority which is used to generate certificates for the HTTPD, SSHD, ADMIND and other services. 

Information on when certificates are valid from and when they are due to expire can be reviewed from the administrative interface of the SecureTransport Server (Setup > Certificates).

While you can manually review the validity dates, it is possible to automate this using PowerShell. The script uses OpenSSL (bundled with SecureTransport) to check certificates.

  • The variables $OpenSSLLocation, $CertificateStoreLocation , $OpenSSLConfFile to reflect the path to your SecureTransport installation 
  • The variables $mailTo, $mailFrom, $SMTPServer will need to be modified to reflect your environment.

The $threshold variable specifies the number of days prior to expiration that will trigger an email notification to be sent; this is set to 60 days.

Note the script requires you have PowerShell 2.0 deployed on the server. The source code is also available on GitHub https://github.com/vijayjt/SecureTransportScripts
  1. <#     
  2.     .SYNOPSIS     
  3.         Check expiry dates of SecureTransport Certificates  
  4.     .DESCRIPTION     
  5.         Produces a HTML based report of all SecureTransport certificates and when they are due to expire.   
  6.         This version of the script currently checks the admind, httpd, sshd,ca and tm certificates.   
  7.         It does not check any intermediate CA certificates from third parties.  
  8.           
  9.           
  10.     .PARAMETER  ReportPath     
  11.         Specify the full path to where the report should be saved E.g. C:\certificate_reports\  
  12.     .EXAMPLE     
  13.         check-cert-expiry.ps1 -ReportPath C:\output\  
  14.     .NOTES    
  15.         File Name  : check-cert-expiry.ps1   
  16.         Author     : Vijay Thakorlal  
  17.         Requires   : PowerShell V2  
  18.         To Do      :   
  19.           
  20.         IMPORTANT NOTES  
  21.         1. CHANGE THE $threshold VARIABLES VALUE TO 60 (IT HAS BEEN SET ARTIFICIALLY HIGH FOR TESTING) THIS WILL PROVIDE ADEQUATE TIME TO PLAN FOR RENEWING CERTIFICATES  
  22. #>     
  23.   
  24.   
  25. param(  
  26.     [ValidateScript({  
  27.         $vr = Test-Path $_  
  28.         if(!$vr){Write-Host "The provided path $_ is invalid!"}  
  29.         $vr  
  30.     })][String]$ReportPath  
  31.     )  
  32.   
  33. # Enable debugging output  
  34. $DebugPreference = "continue"  
  35.   
  36. Write-Output "Starting certificate validity checker script run at: $(Get-Date)"   
  37.   
  38.   
  39. # HTML Report File Location  
  40. if$ReportPath.Length -eq 0 )   
  41. {   
  42.     $ReportPath = "C:\"  
  43. } 
  44. $ReportFile = Join-Path $ReportPath  "certificate_report.html" 
  45.  
  46. Write-Output "Report will be written to $ReportFile" 
  47.  
  48. ## Get the hostname 
  49. $servername = $env:COMPUTERNAME 
  50.  
  51. # Set location of the openssl command / binary and certificate store  
  52. # based on the server name 
  53.  
  54. $OpenSSLLocation= "c:\Program Files\Tumbleweed\SecureTransport\STServer\bin\" 
  55. $CertificateStoreLocation = "C:\Program Files\Tumbleweed\SecureTransport\STServer\lib\certs\" 
  56. $OpenSSLConfFile = "C:\Program Files\Tumbleweed\SecureTransport\STServer\etc\ssl\openssl.cnf" 
  57.  
  58.  
  59. # Set the OPENSSL_CONF environment variable to point to the  
  60. # OpenSSL Configuration file 
  61. $env:OPENSSL_CONF = $OpenSSLConfFile 
  62.  
  63. ## If the certificate is due to expire in $threshold days or less then report this 
  64. $threshold = 60 
  65.  
  66.  
  67. ## Certificate file names 
  68. $cert_names = @() 
  69. Get-ChildItem $CertificateStoreLocation -Filter "*-crt.pem" | % { $cert_names += ($_.FullName).ToString() } 
  70. Get-ChildItem ($CertificateStoreLocation + "db") -Filter "*-crt.pem" | % { $cert_names +=  ($_.FullName).ToString() } 
  71.  
  72. $PrevWD = Get-Location 
  73.  
  74. ## BEGIN FUNCTION Get-CertInfo 
  75. function Get-CertInfo ($cert_to_check, $expiry_threshold)  
  76. { 
  77.     # WARNING: 
  78.     # DO NOT use anything but WRITE-DEBUG within this function otherwise the output will be passed into the pipeline  
  79.     # and into the object which will then be used to produce the HTML report 
  80.          
  81.     Set-Location $OpenSSLLocation 
  82.     $CurrentDir = Get-Location 
  83.      
  84.     #Write-Debug "Current Location is: $CurrentDir" 
  85.      
  86.     Write-Debug "Checking certificate $cert_to_check" 
  87.      
  88.     # We use hash variables to store the parameters to ensure PowerShell 
  89.     # correctly runs the external command line tool properly 
  90.     $OpenSSL = "openssl.exe" 
  91.     $params_date = @("x509","-dates","-in",$($cert_to_check),"-noout") 
  92.     $params_subject = @("x509","-in",$($cert_to_check),"-subject","-noout") 
  93.          
  94.     [string]$cert_dates = & $OpenSSL $params_date 
  95.  
  96.     $cert_dates -match "notAfter=(?<month>[A-z]{3})\s\s(?<day>\d{1}) (?<time>\d{2}\:\d{2}\:\d{2}) (?<year>\d{4})" | Out-Null 
  97.     $cert_expiry_date = [system.datetime] ($matches.day + $matches.month + $matches.year) 
  98.  
  99.     $todays_date = Get-Date 
  100.     $days_to_expiry = ($cert_expiry_date - $todays_date).Days 
  101.  
  102.     [string]$cert_subject = & $OpenSSL $params_subject 
  103.      
  104.     #Find the common name of the certificate from within the output from the command using a RegEx 
  105.     $cert_subject -match "/CN=(?<commonname>.*)" | Out-Null 
  106.     $cert_cname = $matches.commonname 
  107.      
  108.     $cert_type = "" 
  109.     if( $cert_to_check -like "*http*" ) { $cert_type = "HTTP" } 
  110.     elseif ( $cert_to_check -like "*admin*" ) { $cert_type = "Admin Interface" } 
  111.     elseif ( $cert_to_check -like "*ssh*" ) { $cert_type = "SSH" } 
  112.     elseif ( $cert_to_check -like "*tm*" ) { $cert_type = "Transaction Manager" } 
  113.     elseif ( $cert_to_check -like "*ca*" ) { $cert_type = "CA Certificate" } 
  114.      
  115.     Write-Debug "The $cert_type certificate with the Common Name: $cert_cname is due to expire in $days_to_expiry days" 
  116.      
  117.      
  118.     if ($days_to_expiry -le $expiry_threshold ) 
  119.     { 
  120.         # If the certificate is expiring highlight it by making the font colour red 
  121.         # We're using custom tags as a means to replace this with < and > tags otherwise 
  122.         # the ConverTo-HTML cmdlet will attempt to translate / parse this 
  123.         $hl_cert_type = "xopenFont color=Redxclose{0}xopen/Fontxclose" -f $cert_type 
  124.         $hl_cert_cname = "xopenFont color=Redxclose{0}xopen/Fontxclose" -f $cert_cname 
  125.         $hl_cert_to_check = "xopenFont color=Redxclose{0}xopen/Fontxclose" -f $cert_to_check 
  126.         $hl_cert_expiry_date = "xopenFont color=Redxclose{0}xopen/Fontxclose" -f $cert_expiry_date 
  127.         $hl_days_to_expiry = "xopenFont color=Redxclose{0}xopen/Fontxclose" -f $days_to_expiry 
  128.          
  129.         $props = @{'Certificate Type'=$hl_cert_type 
  130.         'Common Name'=$hl_cert_cname 
  131.         'File Name'=$hl_cert_to_check 
  132.         'Expiry Date'=$hl_cert_expiry_date 
  133.         'Days to Expiry'=$hl_days_to_expiry} 
  134.         
  135.     } 
  136.     else 
  137.     { 
  138.         $props = @{'Certificate Type'=$cert_type 
  139.         'Common Name'=$cert_cname 
  140.         'File Name'=$cert_to_check 
  141.         'Expiry Date'=$cert_expiry_date 
  142.         'Days to Expiry'=$days_to_expiry}        
  143.         
  144.     } 
  145.      
  146.       
  147.     $obj = New-Object -TypeName PSObject -Property $props 
  148.     Write-Output $obj 
  149.      
  150. } ## END FUNCTION Get-CertInfo 
  151.  
  152. $expiring = $false 
  153. $fraghash = @() 
  154.  
  155. if( $cert_names -ne $null -or $cert_names.length -ne 0 ) 
  156. { 
  157.    
  158.     foreach ($certificate_type in $cert_names) 
  159.     { 
  160.         
  161.         $cert_object = Get-CertInfo $certificate_type $threshold  
  162.          
  163.         # Extract number of days to expiry from within custom tags 
  164.         $expiry_val = ($cert_object."Days To Expiry").Replace("xopenFont color=Redxclose", "") 
  165.         $expiry_val = [int]$expiry_val.Replace("xopen/Fontxclose", "") 
  166.          
  167.         if ($expiry_val -le $threshold ) { $expiring = $true }    
  168.          
  169.         $fraghash += $cert_object 
  170.          
  171.                  
  172.     } 
  173. } 
  174. else 
  175. { 
  176.     Write-Output "Error: No certificate files found exiting script..." 
  177.     exit 
  178. } 
  179.  
  180.  
  181. $head = @' 
  182. <title>Certificate Validity Report</title> 
  183. <style> 
  184. body { background-color:#dddddd; 
  185.        font-family:Tahoma; 
  186.        font-size:12pt; } 
  187. td, th { border:1px solid black; 
  188.          border-collapse:collapse; } 
  189. th { color:white; 
  190.      background-color:black; } 
  191. table, tr, td, th { padding: 2px; margin: 0px } 
  192. table { margin-left:50px; } 
  193. </style> 
  194. '@ 
  195.  
  196. $rundate = Get-Date 
  197.  
  198. $precontent = @"  
  199. <h1>Certificate Validity Report</h1>  
  200. <br />  
  201. <table>  
  202. <tr><th>Computername</th><td>$($servername)</td></tr>  
  203. <tr><th style="text-align:left">Run Date</th><td>$($rundate)</td></tr>  
  204. </table>  
  205. <br />  
  206. "@ 
  207.  
  208.  
  209. Write-Output "Generating HTML report" 
  210.  
  211. $fraghash = $fraghash | ConvertTo-Html -As Table -Fragment 
  212.  
  213.  
  214.  
  215. # Replace the tag place holders to highlight certs that are expiring in red 
  216. # This uses a hack suggested by Jeffrey Hicks 
  217. $fraghash=$fraghash -replace "xopen","<" 
  218. $fraghash=$fraghash -replace "xclose",">" 
  219.  
  220. #insert a blank line 
  221. $fraghash+="<br>" 
  222.  
  223.  
  224. if( $expiring ) 
  225. { 
  226.     $action_msg="<p>Found certificates that are expiring in less than or equal to $threshold days. Please start the process of planning for the renewal of these certificates</p>  
  227.     <p>Self-signed certificates can be regenerated from within SecureTransport.</p>" 
  228.     $fraghash+=$action_msg 
  229. } 
  230.  
  231. ConvertTo-HTML -head $head -PostContent $fraghash -PreContent $precontent > $ReportFile 
  232.  
  233.  
  234. # Modify these variables to match your environment 
  235. $mailSubject = "SecureTransport Certificate Validity Report" 
  236. $mailTo = "support@acme.com" 
  237. $mailFrom = "securetransport@acme.com"   
  238. $SMTPServer = "192.168.0.1" 
  239.  
  240. Send-MailMessage -SmtpServer $SMTPServer -From $mailFrom -To $MailTo -Subject $mailSubject -BodyAsHtml $action_msg -Attachments $ReportFile 
  241.  
  242. Write-Output " 
  243. Write-Output "CERTIFICATE VALIDITY REPORT SENT TO: $mailTo # FROM: $mailFrom # SUBJECT: $mailSibject # MAILMSG: $action_msg"  
  244. Write-Output "" 
  245.  
  246. Write-Output "Script finished and report produced" 
  247. Write-Output ""  
  248.   
  249. Set-Location $PrevWD  

Comments

  1. Hi vijay ,

    Your blogs are awesome, I have on project where i need to upload some files on some state server where they use tumbleweed for secure transport..currently they provide GUI for us to upload files and we don't want to use that GUI.instead we want to write a script that will upload the files from our servers to there FTP.
    can you provide any input to me to how to go about it and which client i can use to upload the files using command line utility and make script like .ps1 or .vbs and then schedule it.

    Thanks and Regards,
    Nikhil

    ReplyDelete
    Replies
    1. I would suggest using the WinSCP .NET C# library to write an application that can SFTP data to Axway. If you preferred to use only PowerShell I think you could load the assembly through PowerShell too and write the entire thing in PowerShell then add it as a scheduled task on a Windows Server.

      Delete

Post a Comment