SSL certificate signature algorithm can be identified using nmap or openssl command. Here are the steps to identify SSL certificate algorithms used in your webserver or other SSL endpoints.
nmap command :
You can use the ssl-cert script in the –script option to determine the certificate signing algorithm. Tested in nmap version 7
[root@cloudibee ~]# nmap -v -p 443 --script ssl-cert google.com | grep -i algorithm | Signature Algorithm: sha256WithRSAEncryption [root@cloudibee ~]# [root@cloudibee ~]# nmap -v -p 443 --script ssl-cert 10.10.10.10 | grep -i Algorithm | Signature Algorithm: sha1WithRSAEncryption [root@cloudibee ~]#
openssl command :
Similarly you can find the same using openssl command. This below command reads the cert and then processes the information in the certificate.
[root@cloudibee ~]# echo | openssl s_client -showcerts -connect google.com:443 2>/dev/null | openssl x509 -inform pem -noout -text | grep 'Signature Algorithm' Signature Algorithm: sha256WithRSAEncryption [root@cloudibee ~]#
Using either of these commands, you can easily script it and identify certificate version on all your endpoints.
Example by using nmap command :
Iterate through all the host names in /tmp/list.txt and print their SSL certificate algorithm version.
# -- script -- # #!/bin/bash for host in `cat /tmp/list.txt` do echo -n $host nmap -v -p 443 --script ssl-cert $host | grep -i Algorithm done # -- Execution --- # [root@cloudibee ~]# for host in `cat /tmp/list.txt`; do echo -n "$host " ; nmap -v -p 443 --script ssl-cert $host | grep -i Algorithm; done google.com | Signature Algorithm: sha256WithRSAEncryption facebook.com | Signature Algorithm: sha256WithRSAEncryption yahoo.com | Signature Algorithm: sha256WithRSAEncryption [root@cloudibee ~]#
