Is there a way to get access to the raw certificate?


#1

I would like to be able to view and export the actual certificate used with SSL connections to do further analysis. For example to see what the signing algorithm is (SHA1, SHA256), view the public key and type of key (RSA, ECC), see who the issuer is and be able to follow and validate the chain…

So is there any way to access the actual certificate presented by the server?


#2

The Trigger API gives access to most of these elements. For example, the SSL.signatureAlgorithm object provides signing algorithm, etc. These provide most commonly needed elements.

You could also create a precision packet capture trigger which would contain the entire handshake, including certificate exchange. That would give you access to anything on the wire during the exchange.


#3

Login to your ECM, go to Settings–>Administration. Then look under Network Settings–>SSL Certificate

This should provide you with the raw certificate info you are looking for.

Certificate:
Data:
Version: 1 (0x0)
Serial Number:
Signature Algorithm: XXXXXXWithRSAEncryption
Issuer: C=US, O=ExtraHop, OU=extrahop.com, CN=extrahop
Validity
Not Before: Aug XX 17:28:13 20XX GMT
Not After : Aug XX 17:28:13 20XX GMT
Subject: C=US, O=ExtraHop, OU=extrahop.com, CN=extrahop
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: XXXXX (0x10001)
Signature Algorithm: XXXXXXWithRSAEncryption
----------BEGIN CERTIFICATE
----------END CERTIFICATE


#4

bbailjha - thanks for the reply.
It looks like that is the certificate for the extrahop server. What I am looking for is the certificates used in SSL/TLS connections that extrahop is seeing.


#5

@dextra - We don’t, by default, capture the entire certificate for a myriad of reasons, performance not least of all. As @saltessio said above, you can gain access to most of the elements you’re likely to want with a trigger. That’s likely your best course of action if you’re looking to extract cert info.

-Colin