Created
June 12, 2024 01:31
-
-
Save Rugby-Ball/a38297d265df6de536503ac338d01bfb to your computer and use it in GitHub Desktop.
Performs an OpeSSL OCSP domain verification on a URL's SSL #Utility #Public #Security #OpenSSL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ocsp-domain-validation.ps1 | |
| <# | |
| Description: Performs an OpeSSL OCSP domain verification on a URL's SSL certification. | |
| Written: Ed Walsh | |
| PowerShell.Core tested: Yes | |
| MS-Graph: No | |
| Version: 1.0.0 | |
| Create Date: 6/11/2024 | |
| Revised Date: 6/11/2024 | |
| #> | |
| # Define the domain | |
| $domain = "www.domain.com" | |
| Clear-Host | |
| # Function to check if OpenSSL is installed | |
| function Test-OpenSSL { | |
| $opensslPath = Get-Command openssl -ErrorAction SilentlyContinue | |
| return $null -ne $opensslPath | |
| } | |
| # Check if OpenSSL is installed | |
| if (-not (Test-OpenSSL)) { | |
| Write-Error "OpenSSL is not installed or not found in the system PATH. Please install OpenSSL and try again." | |
| exit 1 | |
| } | |
| ##Check if temp folder exists, if it doesnt create it. | |
| $tempPath = Join-Path $HOME -ChildPath Temp | |
| If (-not(Test-Path -Path $tempPath)) | |
| { New-Item -ItemType Directory -Force -Path $tempPath } | |
| $path = $tempPath | |
| # Initialize progress bar | |
| $progress = 0 | |
| Write-Progress -Activity "Verifying SSL Certificate" -Status "Initializing..." -PercentComplete $progress | |
| $serverPort = 443 | |
| try { | |
| # Step 1: Retrieve the certificate | |
| $progress += 20 | |
| Write-Progress -Activity "Verifying SSL Certificate" -Status "Retrieving certificate..." -PercentComplete $progress | |
| $cFile = "$domain.pem" | |
| ## New-Item -Path $path -Name $certFile -ItemType File | |
| $certfile = Join-Path $path $cfile | |
| $ossl1 = "openssl s_client -connect $($domain):443 -servername $domain | openssl x509 -outform PEM > $certFile" | |
| Invoke-Expression -Command $ossl1 | |
| if (-not (Test-Path $certFile)) { | |
| throw "Failed to retrieve the certificate, Step 1." | |
| } | |
| # Step 2: Extract the OCSP URL | |
| $progress += 20 | |
| Write-Progress -Activity "Verifying SSL Certificate" -Status "Extracting OCSP URL..." -PercentComplete $progress | |
| $ocspUrl = openssl x509 -in $certFile -noout -ocsp_uri | |
| if (-not $ocspUrl) { | |
| throw "Failed to extract the OCSP URL. Step 2" | |
| } | |
| # Step 3: Retrieve the sites entire certificate file. | |
| $progress += 20 | |
| Write-Progress -Activity "Verifying SSL Certificate" -Status "Retrieving issuer's certificate..." -PercentComplete $progress | |
| $certtxt = Join-path $path "certs.txt" | |
| $OSSL2 = "openssl s_client -connect $($domain):443 -servername $domain -showcerts | Out-File -FilePath $certtxt" | |
| Invoke-Expression -Command $ossl2 | |
| if (-not (Test-Path $certtxt)) { | |
| throw "Failed to retrieve the issuer's certificate. Step 3" | |
| } | |
| # Step 4 Obtain the Domain Registrar issuer's certificate | |
| $issuerCertFile = Join-Path $path "issuer.pem" | |
| $tcpConnection = New-Object System.Net.Sockets.TcpClient($domain, $serverPort) | |
| $tcpStream = $tcpConnection.GetStream() | |
| $sslStream = New-Object System.Net.Security.SslStream($tcpStream) | |
| $sslStream.AuthenticateAsClient($domain) | |
| $certificate = $sslStream.RemoteCertificate | |
| $certificateBytes = $certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) | |
| $certificateText = [System.Convert]::ToBase64String($certificateBytes) | |
| $certificateText = "-----BEGIN CERTIFICATE-----`n" + $certificateText.Trim() + "`n-----END CERTIFICATE-----" | |
| $certificateText | Out-File -FilePath $issuerCertFile | |
| $sslStream.Close() | |
| $tcpConnection.Close() | |
| if (-not (Test-Path $issuerCertFile)) { | |
| throw "Failed to Obtain the issuer's certificate. Step 4" | |
| } | |
| $cInterFile = "Intermediaries_Chain.pem" | |
| $Intermidiary_certfile = Join-Path $path $cInterFile | |
| # Step 5 Load the full certificate and remove server certificate. The remainder are the Intermediary Certs | |
| $searchFile = $certFile | |
| $targetFile = $certtxt | |
| $searchContent = Get-Content $searchFile -Raw | |
| $targetContent = Get-Content $targetFile -Raw | |
| $updatedContent = $targetContent -replace [regex]::Escape($searchContent), "" | |
| $updatedContent | Out-file -FilePath $Intermidiary_certfile | |
| if (-not $Intermidiary_certfile ) { | |
| throw "Failed to get Intermidiary Certs. Step 5" | |
| } | |
| # Step 6: Perform the OCSP request | |
| $progress += 20 | |
| Write-Progress -Activity "Verifying SSL Certificate" -Status "Performing OCSP request..." -PercentComplete $progress | |
| $ocspResult = openssl ocsp -issuer $Intermidiary_certfile -cert $certFile -text -url $ocspUrl -header "HOST=$(($ocspUrl -replace '^https?://' | select-object @{n="url";e={$_ -replace '/.*$'}}).url)" | |
| if (-not $ocspResult) { | |
| throw "Failed to perform the OCSP request. Step 6" | |
| } | |
| # Output the result | |
| $progress += 20 | |
| Write-Progress -Activity "Verifying SSL Certificate" -Status "Completed" -PercentComplete $progress | |
| Write-Output $ocspResult | |
| } | |
| catch { | |
| Write-Error "An error occurred: $_" | |
| } | |
| finally { | |
| # Cleanup temporary files | |
| [Environment]::NewLine | |
| Write-Host "Cleaning up the temp files in $Path" -ForegroundColor White -BackgroundColor Red | |
| [Environment]::NewLine | |
| Remove-Item -Path $Intermidiary_certfile, $certFile, $issuerCertFile, $certtxt -Force -ErrorAction SilentlyContinue | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment