https://github.com/adulau/crl-monitor

CRL Monitor - X.509 Certificate Revocation List monitoring and X.509/Subject caching
https://github.com/adulau/crl-monitor

certificate crl-monitor fingerprint passive-ssl python scans

Last synced: 5 months ago
JSON representation

CRL Monitor - X.509 Certificate Revocation List monitoring and X.509/Subject caching

• Host: GitHub
• URL: https://github.com/adulau/crl-monitor
• Owner: adulau
• License: gpl-3.0
• Created: 2014-12-29T13:24:01.000Z (almost 11 years ago)
• Default Branch: master
• Last Pushed: 2021-04-16T21:47:13.000Z (over 4 years ago)
• Last Synced: 2025-05-08T01:42:35.130Z (5 months ago)
• Topics: certificate, crl-monitor, fingerprint, passive-ssl, python, scans
• Language: Python
• Homepage:
• Size: 65.4 KB
• Stars: 34
• Watchers: 9
• Forks: 14
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
crl-monitor

===========

CRL Monitor - X.509 Certificate Revocation List monitoring

X.509 Subject Cache

================

There is a set of tool to maintain a cache of certificate fingerprints

along with the IP addresses seen with a specific fingerprint and subject.

In order to feed the cache, dumps of SSL scans need to be imported.

If you use the great dumps from [scans.io](https://scans.io/), you can do the following to import the certificate data:

~~~~

zcat ./scans-io/data/20141208_certs.gz | python dumpx509subject.py -p 6381 -s

~~~~

This command parses all the certificates and extract the subjects and  imports these into the Redis-compatible database running on TCP port 6381.

Then you need to import the mapping between scanned IP addresses and the fingerprint of the X.509 certificate seen:

~~~~

zcat ./scans-io/data/20141208_hosts.gz | python hoststoredis.py -p 6381 -s

~~~~

The above procedure can be repeated with additional scans or you can import multiple scans in parallel using GNU Parallel.

IP Subnet Lookup in X.509 Subject Cache

================================

ip-ssl-subject.py can query a network subnet and display the known certificate seen and display the X.509 subject if known.

~~~~

python ./server/ip-ssl-subject-api.py -s 199.16.156.0/28 -p 6381

~~~~

~~~~

199.16.156.6

 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446, C=US/postalCode=94107, ST=California, L=San Francisco/street=795 Folsom St, Suite 600, O=Twitter, Inc., OU=Twitter Security, CN=twitter.com

 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA

 add53f6680fe66e383cbac3e60922e3b4c412bed

 e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12

199.16.156.7

 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3

 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA

 C=US, ST=CA, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=tdweb.twitter.com

 859b86acd1604078f7d0f4680fdff59965096745

 1858b819fffad8c948fac853882c5e8bbc5e7953

199.16.156.8

 d8015bf46dfb91c6e4b1b6ab9a72c168933dc2d9

 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Secure Server CA - G2

 C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=api.twitter.com

 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3

199.16.156.9

 C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA

 serialNumber=X5-6oDhQgpWsUADnOU2IdZ38YWlIV8/8, C=US, ST=California, L=San Francisco, O=Twitter, Inc., CN=*.twitter.com

199.16.156.10

 add53f6680fe66e383cbac3e60922e3b4c412bed

 e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12

199.16.156.11

 C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=t.co

 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3

199.16.156.12

 C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=support.twitter.com

 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3

~~~~

## Data store format

~~~~

{IPv4} -> set of {SHA1 FP}

{SHA1 FP} -> set of {Subject}

~~~~

~~~~

{s:SHA1 FP} -> set of {IPv4}

~~~~