listCrypto
¶
This command downloads certificates, keys and password aliases from DataPower or certificates from TLS endpoints.
It prints certificate/key information to the console and also generates a more detailed report in Excel format.
You can specify what columns to print by using various *Col
options of this command. The Excel report always contains all columns.
The command can also check certificates’ validity and compliance with policies and best practices. For example, it can flag sef-signed certificates, certificates with weak keys or certificates issued by Certificate Authorities that are not approved within an organization.
The command also checks a certificate’s expiration, verifies its signature and checks the certificate’s revocation status using OCSP.
It also checks expiration of password aliases if they were deployed using passwordAlias with the expiresIn
value provided.
You can put listCrypto
on a schedule to periodically check certificates’ “health” and compliance. failOnCheckFailure
option can be used to create alerts in case if a check fails.
The same certificate (same public key, issuer, serial number) can be encountered multiple times during the scan. E.g. a certificated can be deployed to multiple domains or appliances, or a duplicate can be pulled from a TLS endpoint.
listCrypto
always groups certificates based on their issuer/serial, so you can see if the same certificate is used in multiple locations.
By default, the command does not show issuers’ certificates (CAs and intermediate issuers), even though it downloads them from DataPower or from endpoints. The issuers’ certs are used for verifying certificate’s signature. You can use -issuers
options if you need to see issuers’ certificates as part of the report.
The command will automatically download the issuer’s cert using the information in the AIA extension if needed.
Attributes/Options¶
Name |
Description |
---|---|
domainPatterns
alias: domains
|
Comma-delimited list of regular expression patterns defining what domains to apply the command to. Use ‘.*’ for all domains except the default. Use ‘.*,default’ to include the default. |
excel |
Produce report in Excel format in addition to printing to the console/standard out. Defaults to |
reportOutput |
Path to the generated report file in Excel format or to a directory where the CSV files will be saved. Defaults to |
listKeys
alias: keys
|
Include information about private keys. The actual keys are not collected and not displayed. Defaults to |
listPasswordAliases
CLI alias: pa
|
Include information about password aliases, such as the object name, audit info, password expiration. The actual passwords are not collected and not displayed. Defaults to |
listCerts
CLI alias: certs
|
Include information about X.509 certificates. Defaults to |
listIssuers
CLI alias: issuers
|
Include certificates from CAs and intermediate issuers. Defaults to |
endpoints
alias: ep
|
Endpoints to collect certificates from, in addition to DataPower. Format: list of comma-delimited host:port, e.g., my.backend.com,192.168.1.12:9443. Port 443 is the default. |
runChecks |
Validate certificates and keys according to the configured checks in crypto.conf. Defaults to |
failOnCheckFailure
alias: fail
|
Fail this command if one of the checks defined in crypto.conf failed. The command will return a failure status. Defaults to |
auditCol |
Show ‘Changed On’ and ‘Changed By’ columns. Defaults to |
issuerCol |
Show the ‘issuer’ column. Defaults to |
serialCol |
Show the serial number of the certificate. Defaults to |
usage |
Print usage of all found crypto objects in the format Type:Name, Type:Name. Each Type:Name is the parent of the previous object, so it represent an object reference graph. Defaults to |
Examples¶
# List certificates, keys, password aliases, checks are not performed
dpbuddy listCrypto
# Display certs only, run policy checks defined in crypto.conf. Suppress the issuers columns to save space.
dpbuddy listCrypto -keys false -pa false -runChecks -issuerCol false
# Certs only, run policy checks defined in crypto.conf and fail if any of the checks failed
dpbuddy listCrypto -keys false -pa false -runChecks -failOnCheckFailure
# Generate excel report; Display the serial number of the certificates
dpbuddy listCrypto -runChecks -issuerCol false -serial -excel
# print usage of all found crypto objects
dpbuddy listCrypto -usage
Sample output:
Domain Object Name File Subject CN Alt Names Exp in Days Key Alg Issuer Serial Changed On Changed By
dpbuddy-samples revoked_chain cert:/revoked_chain.pem revoked.badssl.com revoked.badssl.com,www.revoked.bads 473 RSA-2048 DigiCert SHA2 Secure Server CA 4578095623763233818958520798617405692 6/20/20 aananiev
dpbuddy-samples myarch_chain cert:/myarch_chain.pem myarch.com myarch.com,www.myarch.com 493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686 6/20/20 aananiev
dpbuddy-samples myarch cert:/myarch.pem myarch.com myarch.com,www.myarch.com 493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686 6/20/20 aananiev
dpbuddy-samples myarch.com_443 cert:/myarch.com_443.pem myarch.com myarch.com,www.myarch.com 493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686 6/20/20 aananiev
https://myarch.com:443 myarch.com myarch.com,www.myarch.com 493 RSA-2048 Go Daddy Secure Certificate Authori 11510493113533735686
dpbuddy-samples local-app cert:/local-app.pem local-app local-app 326 RSA-2048 Local CA 1589417790 6/20/20 aananiev
dpbuddy-samples local_app cert:/local_app.pem local-app.com 266 RSA-2048 local CA 1584288750 6/20/20 aananiev
dpbuddy-samples self_signed cert:/self_signed.pem localhost -523 RSA-2048 localhost 9699314724490867386 6/20/20 aananiev
dpbuddy-samples keypair-1 cert:/keypair-1.pem test-key-1 -278 RSA-2048 test-key-1 1537189500 6/20/20 aananiev
Please see this post with more examples of crypto reports.