Build Complete Certificate and Key Inventory with DPBuddy

June 21, 2020 | Posted in certificates,DataPower,dpbuddy

DPBuddy 3.5 supports in-depth inventory and analysis of your X.509 certificates and keys:

  • Inventory of all your certificates, keys and password aliases across all of your appliances and domains.
    In addition to DataPower, the inventory includes certificates from TLS endpoints.
  • Reports in Excel and text format
  • Certificate deduplication -- find all places where a given certificate is used
  • See audit records of all changes -- who changed what when
  • See how each of your crypto objects is used by other DataPower objects
  • See expiration for passwords/password aliases (in addition to certificates' expiration)
  • Ensure compliance and best practices: identify self-signed certificates, weak keys/algorithms, unapproved signers
  • Get alerted on certificate expiration, invalid signatures, revocation, policy violations


Here are examples of various reports generated by the "listCrypto" command.

Certificates with their audit records. You can see that the same cert (lines 2-5) is deployed multiple times under different file names.
The cert at line 5 was downloaded directly from the endpoint.

Domain          Object Name    File                     Subject CN           Alt Names                           Exp in Days Key Alg  Issuer                              Serial                                Changed On Changed By
dpbuddy-samples revoked_chain  cert:/revoked_chain.pem  revoked.badssl.com   revoked.badssl.com,www.revoked.bads         473 RSA-2048 DigiCert SHA2 Secure Server CA      4578095623763233818958520798617405692 6/20/20    aananiev
dpbuddy-samples myarch_chain   cert:/myarch_chain.pem   myarch.com           myarch.com,www.myarch.com                   493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686                  6/20/20    aananiev
dpbuddy-samples myarch         cert:/myarch.pem         myarch.com           myarch.com,www.myarch.com                   493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686                  6/20/20    aananiev
dpbuddy-samples myarch.com_443 cert:/myarch.com_443.pem myarch.com           myarch.com,www.myarch.com                   493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686                  6/20/20    aananiev
https://myarch.com:443                                  myarch.com           myarch.com,www.myarch.com                   493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686
dpbuddy-samples local-app      cert:/local-app.pem      local-app            local-app                                   326 RSA-2048 Local CA                            1589417790                            6/20/20    aananiev
dpbuddy-samples local_app      cert:/local_app.pem      local-app.com                                                    266 RSA-2048 local CA                            1584288750                            6/20/20    aananiev
dpbuddy-samples self_signed    cert:/self_signed.pem    localhost                                                       -523 RSA-2048 localhost                           9699314724490867386                   6/20/20    aananiev
dpbuddy-samples keypair-1      cert:/keypair-1.pem      test-key-1                                                      -278 RSA-2048 test-key-1                          1537189500                            6/20/20    aananiev

Results of the certificate compliance verification; reported in the "Problems" column

Object Name    File                     Subject CN         Exp in Days Key Alg  Issuer                              Serial                                Changed On Changed By Problems
revoked_chain  cert:/revoked_chain.pem  revoked.badssl.com         473 RSA-2048 DigiCert SHA2 Secure Server CA      4578095623763233818958520798617405692 6/20/20    aananiev   Duration exceeds,Ocsp revoked
myarch_chain   cert:/myarch_chain.pem   myarch.com                 493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686                  6/20/20    aananiev   Duration exceeds,Blacklisted issuer
myarch         cert:/myarch.pem         myarch.com                 493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686                  6/20/20    aananiev   Duration exceeds,Blacklisted issuer
myarch.com_443 cert:/myarch.com_443.pem myarch.com                 493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686                  6/20/20    aananiev   Duration exceeds,Blacklisted issuer
local-app      cert:/local-app.pem      local-app                  326 RSA-2048 Local CA                            1589417790                            6/20/20    aananiev
local_app      cert:/local_app.pem      local-app.com              266 RSA-2048 local CA                            1584288750                            6/20/20    aananiev
self_signed    cert:/self_signed.pem    localhost                 -523 RSA-2048 localhost                           9699314724490867386                   6/20/20    aananiev   Expired,Self signed
keypair-1      cert:/keypair-1.pem      test-key-1                -278 RSA-2048 test-key-1                          1537189500                            6/20/20    aananiev   Expired,Self signed

Certificate checks are configured in "crypto.conf" as following:

expiration: {
    days: 30
}
duration: {
    days: 365
}
selfSigned: {
    allow: false
}
sigVerification: {
    failIfNoIssuer: false
}
ocsp: {
    enabled: true
}
pubKey: {
    minSize: {RSA: 2048, EC: 256}
    allowedAlgs: [RSA, EC]
}

Private keys with usages:

Object Name                  File                                   Usage
dp-myarch-key                cert:/dp_myarch.key                    CryptoIdentCred:dp-myarch-cred
datapower.myarch.com_privkey cert:/datapower.myarch.com_privkey.pem
local-app_privkey            cert:/local-app_privkey.pem
local-app-ss_privkey         cert:/local-app-ss_privkey.pem         CryptoIdentCred:datapower-local-ca, SSLServerProfile:dp-myarch-server, XMLFirewallService:OktaResourceOwnerFlow
sslserver                    cert:/sslserver-privkey.pem            CryptoIdentCred:sslserver, CryptoProfile:sslserver, SSLProxyProfile:sslserver, HTTPSSourceProtocolHandler:https_5041, MultiProtocolGateway:oauth-mpgw-rs

Password aliases with expiration and usages:

Location Domain          Object Name         Exp in Days Changed On Changed By Usage
dev      dpbuddy-samples self_signed_key-pwd             6/20/20    aananiev   CryptoKey:self_signed_key
dev      dpbuddy-samples oracle-pwd-alias             83 3/16/20    aananiev
dev      dpbuddy-samples keypair-1_key-pwd               6/20/20    aananiev   CryptoKey:keypair-1_key
dev      dpbuddy-samples service1-pwd-alias          -66 3/16/20    aananiev
dev      dpbuddy-samples service2-pwd-alias          -97 3/16/20    aananiev

The report in Excel format provides additional information, here is the snippet of the report:
Crypto report in Excel format

More details are available in the documentation.
If you're interested in fully automating your certificate and key management, please let us know.