Get SSL Certificate Info¶
This module contains the following parsers:
SatelliteCustomCaChain - command awk 'BEGIN { pipe="openssl x509 -noout -subject -enddate"} /^-+BEGIN CERT/,/^-+END CERT/ { print | pipe } /^-+END CERT/ { close(pipe); printf("\n")}' /etc/pki/katello/certs/katello-server-ca.crt
¶
RhsmKatelloDefaultCACert - command openssl x509 -in /etc/rhsm/ca/katello-default-ca.pem -noout -issuer
¶
HttpdSSLCertExpireDate - command openssl x509 -in httpd_certificate_path -enddate -noout
¶
NginxSSLCertExpireDate - command openssl x509 -in nginx_certificate_path -enddate -noout
¶
MssqlTLSCertExpireDate - command openssl x509 -in mssql_tls_cert_file -enddate -noout
¶
HttpdCertInfoInNSS - command certutil -L -d xxx -n xxx
¶
-
class
insights.parsers.ssl_certificate.
CertificateChain
(context, extra_bad_lines=None)[source]¶ Bases:
insights.core.CommandParser
,list
Base class to parse the output of “openssl -in <certificate_chain_file> -xxx”. Blank line is added to distinguish different certs in the chain. Currently it only supports the attributes which the output is in key=value pairs.
Sample Output:
issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.a.com subject= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.b.com notBefore=Dec 7 07:02:33 2020 GMT notAfter=Jan 18 07:02:33 2038 GMT issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.c.com subject= /C=US/ST=North Carolina/O=Katello/OU=SomeOrgUnit/CN=test.d.com notBefore=Nov 30 07:02:42 2020 GMT notAfter=Jan 18 07:02:43 2018 GMT
Examples
>>> type(certs) <class 'insights.parsers.ssl_certificate.CertificateChain'> >>> len(certs) 2 >>> certs.earliest_expiry_date.str 'Jan 18 07:02:43 2018'
-
parse_content
(content)[source]¶ Parse the content of cert chain file. And it saves the certs in a list of dict. This uses the
insights.parsers.ssl_certificate.parse_openssl_output()
function. See its documentation for parsing details.-
earliest_expiry_date
¶ The earliest expiry datetime of the certs in the chain. None when there isn’t “notAfter” for all the certs in the chain.
Type: ExpirationDate
Raises: SkipComponent
-- when the command output is empty.-
-
-
class
insights.parsers.ssl_certificate.
CertificateInfo
(context)[source]¶ Bases:
insights.core.CommandParser
,dict
Base class to parse the output of “openssl -in <single_certificate_file> -xxx”. Currently it only supports the attributes which the output is in key=value pairs.
Sample Output:
issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com notBefore=Dec 7 07:02:33 2020 GMT notAfter=Jan 18 07:02:33 2038 GMT subject= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com
Examples
>>> type(cert) <class 'insights.parsers.ssl_certificate.CertificateInfo'> >>> 'issuer' in cert True >>> cert['issuer'] '/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com' >>> cert['notBefore'].str 'Dec 7 07:02:33 2020'
Raises: SkipComponent
-- when the command output is empty.-
cert_path
¶ Return the certificate path.
-
parse_content
(content)[source]¶ This uses the
insights.parsers.ssl_certificate.parse_openssl_output()
function. See its documentation for parsing details.
-
-
class
insights.parsers.ssl_certificate.
HttpdCertInfoInNSS
(context, extra_bad_lines=None)[source]¶ Bases:
insights.core.CommandParser
,dict
It parses the output of “certutil -d <database_path> -L -n <cert_name>”. Currently it only parses the “Not After” info and save it into a dict. And the key is renamed to “notAfter” to keep consistent with the other certificat info. The value of “notAfter” is transformed to an instance of ExpirationDate, which contains the date in string and datetime format.
Raises: ParseException
-- when the “Not After” isn’t in the expected format.SkipComponent
-- when there is no “Not After” info in the content.
Examples
>>> type(nss_cert_info) <class 'insights.parsers.ssl_certificate.HttpdCertInfoInNSS'> >>> nss_cert_info['notAfter'].str 'Sun Dec 07 05:26:10 2025'
-
cert_path
¶ Return the certificate path info.
-
class
insights.parsers.ssl_certificate.
HttpdSSLCertExpireDate
(context)[source]¶ Bases:
insights.parsers.ssl_certificate.CertificateInfo
Note
Please refer to its super-class
insights.parsers.ssl_certificate.CertificateInfo
for more details.It parses the output of
openssl x509 -in httpd_ssl_certificate_path -enddate -noout
.Sample output of
openssl x509 -in httpd_certificate_path -enddate -noout
:notAfter=Dec 4 07:04:05 2035 GMT
Examples
>>> type(date_info) <class 'insights.parsers.ssl_certificate.HttpdSSLCertExpireDate'> >>> date_info['notAfter'].datetime datetime.datetime(2038, 1, 18, 7, 2, 43)
-
class
insights.parsers.ssl_certificate.
MssqlTLSCertExpireDate
(context)[source]¶ Bases:
insights.parsers.ssl_certificate.CertificateInfo
Note
Please refer to its super-class
insights.parsers.ssl_certificate.CertificateInfo
for more details.It parses the output of
openssl x509 -in mssql_tls_cert_file -enddate -noout
.Sample output of
openssl x509 -in mssql_tls_cert_file -enddate -noout
:notAfter=Dec 4 07:04:05 2035 GMT
Examples
>>> type(mssql_date_info) <class 'insights.parsers.ssl_certificate.MssqlTLSCertExpireDate'> >>> mssql_date_info['notAfter'].datetime datetime.datetime(2022, 11, 5, 1, 43, 59)
-
class
insights.parsers.ssl_certificate.
NginxSSLCertExpireDate
(context)[source]¶ Bases:
insights.parsers.ssl_certificate.CertificateInfo
Note
Please refer to its super-class
insights.parsers.ssl_certificate.CertificateInfo
for more details.It parses the output of
openssl x509 -in nginx_certificate_path -enddate -noout
.Sample output of
openssl x509 -in nginx_certificate_path -enddate -noout
:notAfter=Dec 4 07:04:05 2035 GMT
Examples
>>> type(nginx_date_info) <class 'insights.parsers.ssl_certificate.NginxSSLCertExpireDate'> >>> nginx_date_info['notAfter'].datetime datetime.datetime(2038, 1, 18, 7, 2, 43) >>> nginx_date_info.cert_path '/a/b/c.pem'
-
class
insights.parsers.ssl_certificate.
RhsmKatelloDefaultCACert
(context)[source]¶ Bases:
insights.parsers.ssl_certificate.CertificateInfo
Note
Please refer to its super-class
insights.parsers.ssl_certificate.CertificateInfo
for more details.Sample Output:
issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com
Examples
>>> type(rhsm_katello_default_ca) <class 'insights.parsers.ssl_certificate.RhsmKatelloDefaultCACert'> >>> rhsm_katello_default_ca['issuer'] '/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com'
-
class
insights.parsers.ssl_certificate.
SatelliteCustomCaChain
(context, extra_bad_lines=None)[source]¶ Bases:
insights.parsers.ssl_certificate.CertificateChain
Note
Please refer to its super-class
insights.parsers.ssl_certificate.CertificateChain
for more details.Sample Output:
subject= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.a.com notAfter=Jan 18 07:02:33 2038 GMT subject= /C=US/ST=North Carolina/O=Katello/OU=SomeOrgUnit/CN=test.b.com notAfter=Jan 18 07:02:43 2028 GMT
Examples
>>> type(satellite_ca_certs) <class 'insights.parsers.ssl_certificate.SatelliteCustomCaChain'> >>> len(satellite_ca_certs) 2 >>> satellite_ca_certs.earliest_expiry_date.str 'Jan 18 07:02:43 2028'
-
insights.parsers.ssl_certificate.
parse_openssl_output
(content)[source]¶ It parses the output of “openssl -in <single_certificate_file> -xxx”. Currently it only supports the attributes which the output is in key=value pairs. It saves the cert info into a dict. The value of notBefore and notAfter are saved to an instance of ExpirationDate, which contains the date in string and datetime format.
Raises: ParseException
-- when the output isn’t in key=value format or the notAfter or notBefore isn’t expected format.