SSL Certificate Verifier Tool

Description

This is a WPF tool that allows to connect to remote web servers and examine SSL certificates.

The tool provides the following functionality:

  • Validates the SSL certificate and validates all certificates in the chain for possible errors;
  • Implements certificate expiration checking. Certificate expiration is checked for all certificates in the chain;
  • The tool also checks certificates for all possible redirection URLs;
  • Writes trace/debug log for each processed entry;
  • Provides an ability to save server list to a file and read the list from a file.

The tool requires .NET Framework 4.5.

 

Details & Pricing

  • This tool is distributed for free via source code on GitHub or binary download
  • Support is not commercially provided at this time, however we do accept comments, suggestions and notification of compatibility on GitHub.
zip

Download SSL Certificate Verifier











    Main Window

    Main window contains a list of remote SSL/TLS servers and control buttons. There are three possible validation outcomes:

    • Ok

    Client was able to successfully connect to remote server over SSL/TLS and its certificate passed all validation checks based on current settings.

    • Error

    Client was either, not able to connect to remote server over SSL/TLS or its certificate failed certificate validation checks.

    • Warning

    Client was able to successfully connect to remote server over SSL/TLS and its certificate passed all validation checks, but its certificate is about to expire:

    When selecting particular entry, a trace log with certificate details is shown. Right-click on remote server entry and selecting entry properties it is possible to configure proxy settings if necessary:

    Certificate View

    Additionally, there is certificate view which is located under Certificates tab:

    Certificate view dialog shows certificate chain and errors. Native errors shows potential issues with selected certificate itself. Propagated errors show potential issues propagated from upper level certificates (intermediate CA certificates). The following image shows errors associated with a certificate that failed validation checks:

    By pressing View Certificate button, a certificate UI dialog (provided by operating system) is shown.

    HTML Report

    After scan completion, you can save current application state to HTML report by clicking on a "Save HTML Report" toolbar button.

    Capture

    HTML report provides detailed information about every HTTP redirect, certificate chain, every certificate details and even full certificate in PEM format:

    Capture

    Script Automation

    You can automate server automation using Windows PowerShell and create scheduled tasks to run scans on a regular basis:

    PS C:\> Add-Type -Path "C:\Program Files\PKI Solutions\SSL Verifier\SSLVerifier.Core.dll"
    PS C:\> $server = New-Object SSLVerifier.Core.Default.ServerEntry "google.lv"
    PS C:\> $config = New-Object SSLVerifier.Core.Default.CertProcessorConfig
    PS C:\> $scanner = New-Object SSLVerifier.Core.Processor.CertProcessor $config
    PS C:\> $scanner.StartScan($server)
    PS C:\> $server
    
    
    ServerAddress : google.lv
    Port          : 443
    Proxy         : SSLVerifier.Core.Default.ServerEntryProxy
    ItemStatus    : Valid
    Log           : SSLVerifier.Core.Default.ServerLogWriter
    SAN           : {DNS Name=*.google.lv, DNS Name=*.google.com.lv, DNS Name=google.com.lv, DNS Name=google.lv...}
    ChainStatus   : NoError
    Certificate   : [Subject]
                      CN=*.google.lv, O=Google LLC, L=Mountain View, S=California, C=US
    
                    [Issuer]
                      CN=GTS CA 1O1, O=Google Trust Services, C=US
    
                    [Serial Number]
                      0096E49317B4886A040200000000726DC1
    
                    [Not Before]
                      2020.07.07. 11:14:00
    
                    [Not After]
                      2020.09.29. 11:14:00
    
                    [Thumbprint]
                      7F31CB3D7A6C4A28D2D5A7F96E7709C44D43CC97
    
    Tree          : {SSLVerifier.Core.Models.TreeNode`1[SSLVerifier.Core.IChainElement], SSLVerifier.Core.Models.TreeNode`1
                    [SSLVerifier.Core.IChainElement]}
    
    PS C:\> if ($server.ItemStatus -ne "Valid") {
    >> # perform required actions for failed scan. For example, send email alert
    >> }
    >>
    PS C:\>

    Follow this post for more details.

    Application Settings

    Application contains several settings, which are invoked via Options -> Settings:

    In this dialog, you can configure some validation options:

    • Search Transparency Log

    When enabled, searches for TLS certificate in public Certificate Transparency Logs.

    • Strict EKU validation

    When enabled, this option will require that entire certificate chain is valid for Server Authentication enhanced key usage. Otherwise, Server Authentication EKU is checked on leaf certificate only.

    • Allow user trust

    By default, certificate chains are built against trusted root CA store in machine context (local computer). Manually added trusted root CAs in current user store are not trusted by default.

    • Require minimum RSA public key length

    Enforces RSA public key length which must be equals or greater than specified value. This settings has effect only on RSA public keys. ECC (ellyptic curve cryptography) key length is not enforced.

    • Protocol list

    Specifies allowed SSL/TLS protocols. SSL Verifier Tool attempts to connect to remote server using the best protocol. If connection fails and there are other allowed protocols, they are attempted until connection succeeds or there are more allowed SSL/TLS protocols, otherwise, connection will fail.

    • Invalidate weak signature algorithm

    When enabled, specifies a set of disallowed signature algorithm for leaf and intermediate CA certificates. Signature algorithm list is not applied to root (presented in a self-signed form) are not checked.