Get SSL Certificate Info

This module contains the following parsers:

SatelliteCustomCaChain - command awk 'BEGIN { pipe="openssl x509 -noout -subject -enddate"} /^-+BEGIN CERT/,/^-+END CERT/ { print | pipe } /^-+END CERT/ { close(pipe); printf("\n")}' /etc/pki/katello/certs/katello-server-ca.crt

RhsmKatelloDefaultCACert - command openssl x509 -in /etc/rhsm/ca/katello-default-ca.pem -noout -issuer

HttpdSSLCertExpireDate - command openssl x509 -in httpd_certificate_path -enddate -noout

NginxSSLCertExpireDate - command openssl x509 -in nginx_certificate_path -enddate -noout

MssqlTLSCertExpireDate - command openssl x509 -in mssql_tls_cert_file -enddate -noout

HttpdCertInfoInNSS - command certutil -L -d xxx -n xxx

class insights.parsers.ssl_certificate.CertificateChain(context, extra_bad_lines=None)[source]

Bases: CommandParser, list

Base class to parse the output of “openssl -in <certificate_chain_file> -xxx”. Blank line is added to distinguish different certs in the chain. Currently it only supports the attributes which the output is in key=value pairs.

Sample Output:

issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.a.com
subject= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.b.com
notBefore=Dec  7 07:02:33 2020 GMT
notAfter=Jan 18 07:02:33 2038 GMT

issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.c.com
subject= /C=US/ST=North Carolina/O=Katello/OU=SomeOrgUnit/CN=test.d.com
notBefore=Nov 30 07:02:42 2020 GMT
notAfter=Jan 18 07:02:43 2018 GMT

Examples

>>> type(certs)
<class 'insights.parsers.ssl_certificate.CertificateChain'>
>>> len(certs)
2
>>> certs.earliest_expiry_date.str
'Jan 18 07:02:43 2018'
parse_content(content)[source]

Parse the content of cert chain file. And it saves the certs in a list of dict. This uses the insights.parsers.ssl_certificate.parse_openssl_output() function. See its documentation for parsing details.

earliest_expiry_date

The earliest expiry datetime of the certs in the chain. None when there isn’t “notAfter” for all the certs in the chain.

Type:

ExpirationDate

Raises:

SkipComponent -- when the command output is empty.

class insights.parsers.ssl_certificate.CertificateInfo(context)[source]

Bases: CommandParser, dict

Base class to parse the output of “openssl -in <single_certificate_file> -xxx”. Currently it only supports the attributes which the output is in key=value pairs.

Sample Output:

issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com
notBefore=Dec  7 07:02:33 2020 GMT
notAfter=Jan 18 07:02:33 2038 GMT
subject= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com

Examples

>>> type(cert)
<class 'insights.parsers.ssl_certificate.CertificateInfo'>
>>> 'issuer' in cert
True
>>> cert['issuer']
'/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com'
>>> cert['notBefore'].str
'Dec  7 07:02:33 2020'
Raises:

SkipComponent -- when the command output is empty.

property cert_path

Return the certificate path.

parse_content(content)[source]

This uses the insights.parsers.ssl_certificate.parse_openssl_output() function. See its documentation for parsing details.

class insights.parsers.ssl_certificate.HttpdCertInfoInNSS(context, extra_bad_lines=None)[source]

Bases: CommandParser, dict

It parses the output of “certutil -d <database_path> -L -n <cert_name>”. Currently it only parses the “Not After” info and save it into a dict. And the key is renamed to “notAfter” to keep consistent with the other certificat info. The value of “notAfter” is transformed to an instance of ExpirationDate, which contains the date in string and datetime format.

Raises:
  • ParseException -- when the “Not After” isn’t in the expected format.

  • SkipComponent -- when there is no “Not After” info in the content.

Examples

>>> type(nss_cert_info)
<class 'insights.parsers.ssl_certificate.HttpdCertInfoInNSS'>
>>> nss_cert_info['notAfter'].str
'Sun Dec 07 05:26:10 2025'
property cert_path

Return the certificate path info.

parse_content(content)[source]

This method must be implemented by classes based on this class.

class insights.parsers.ssl_certificate.HttpdSSLCertExpireDate(context)[source]

Bases: CertificateInfo

Note

Please refer to its super-class insights.parsers.ssl_certificate.CertificateInfo for more details.

It parses the output of openssl x509 -in httpd_ssl_certificate_path -enddate -noout.

Sample output of openssl x509 -in httpd_certificate_path -enddate -noout:

notAfter=Dec 4 07:04:05 2035 GMT

Examples

>>> type(date_info)
<class 'insights.parsers.ssl_certificate.HttpdSSLCertExpireDate'>
>>> date_info['notAfter'].datetime
datetime.datetime(2038, 1, 18, 7, 2, 43)
class insights.parsers.ssl_certificate.MssqlTLSCertExpireDate(context)[source]

Bases: CertificateInfo

Note

Please refer to its super-class insights.parsers.ssl_certificate.CertificateInfo for more details.

It parses the output of openssl x509 -in mssql_tls_cert_file -enddate -noout.

Sample output of openssl x509 -in mssql_tls_cert_file -enddate -noout:

notAfter=Dec 4 07:04:05 2035 GMT

Examples

>>> type(mssql_date_info)
<class 'insights.parsers.ssl_certificate.MssqlTLSCertExpireDate'>
>>> mssql_date_info['notAfter'].datetime
datetime.datetime(2022, 11, 5, 1, 43, 59)
class insights.parsers.ssl_certificate.NginxSSLCertExpireDate(context)[source]

Bases: CertificateInfo

Note

Please refer to its super-class insights.parsers.ssl_certificate.CertificateInfo for more details.

It parses the output of openssl x509 -in nginx_certificate_path -enddate -noout.

Sample output of openssl x509 -in nginx_certificate_path -enddate -noout:

notAfter=Dec 4 07:04:05 2035 GMT

Examples

>>> type(nginx_date_info)
<class 'insights.parsers.ssl_certificate.NginxSSLCertExpireDate'>
>>> nginx_date_info['notAfter'].datetime
datetime.datetime(2038, 1, 18, 7, 2, 43)
>>> nginx_date_info.cert_path
'/a/b/c.pem'
class insights.parsers.ssl_certificate.RhsmKatelloDefaultCACert(context)[source]

Bases: CertificateInfo

Note

Please refer to its super-class insights.parsers.ssl_certificate.CertificateInfo for more details.

Sample Output:

issuer= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com

Examples

>>> type(rhsm_katello_default_ca)
<class 'insights.parsers.ssl_certificate.RhsmKatelloDefaultCACert'>
>>> rhsm_katello_default_ca['issuer']
'/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=a.b.c.com'
class insights.parsers.ssl_certificate.SatelliteCustomCaChain(context, extra_bad_lines=None)[source]

Bases: CertificateChain

Note

Please refer to its super-class insights.parsers.ssl_certificate.CertificateChain for more details.

Sample Output:

subject= /C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=test.a.com
notAfter=Jan 18 07:02:33 2038 GMT

subject= /C=US/ST=North Carolina/O=Katello/OU=SomeOrgUnit/CN=test.b.com
notAfter=Jan 18 07:02:43 2028 GMT

Examples

>>> type(satellite_ca_certs)
<class 'insights.parsers.ssl_certificate.SatelliteCustomCaChain'>
>>> len(satellite_ca_certs)
2
>>> satellite_ca_certs.earliest_expiry_date.str
'Jan 18 07:02:43 2028'
insights.parsers.ssl_certificate.parse_openssl_output(content)[source]

It parses the output of “openssl -in <single_certificate_file> -xxx”. Currently it only supports the attributes which the output is in key=value pairs. It saves the cert info into a dict. The value of notBefore and notAfter are saved to an instance of ExpirationDate, which contains the date in string and datetime format.

Raises:

ParseException -- when the output isn’t in key=value format or the notAfter or notBefore isn’t expected format.