身の回りのドメインのSSL証明書¶

概要¶

仕事でSSL証明書どこから買おうか悩んでいたのでちょっと他のWebサービスなどを調査してみる。
ブラウザでポチポチするのも良いけど、せっかくなのでコマンドでやる。

調査方法¶

リンクを参考にする。以下のコマンドで情報を取得できるらしい。

openssl s_client -connect www.example.work:443 -showcerts < /dev/null 2>&1

実際叩くと：

$ openssl s_client -connect www.sylow-castle.work:443 -showcerts < /dev/null 2>&1
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.sylow-castle.work
verify return:1
---
（以下略）

まぁ一杯出てくる。
最初のこの部分だけ拾えればいいかなー。

実施¶

一つずつは面倒なのでシェルスクリプトとかでがんばれないか検討する。

• 入力：ホスト名のリスト
  
• 出力：ホスト名：改行Connectedから---までを出したい。

while read line; do echo $line; if [[ $line =~ ^---.*$ ]]; then break; fi; done;

をパイプしてあげると。

depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
CONNECTED(00000003)
---

一部気になるが必要な情報は取れているからいいや。一部をシェルスクリプトにして、入力ファイル作って実行

結果行¶

実施したのは2018年8月26日

cat ssl_access_target_hosts | while read line; do echo Host: ${line}; ssl_publisher.sh ${line}; done;

Host: www.sylow-castle.work
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.sylow-castle.work
verify return:1
CONNECTED(00000003)
---
Host: www.google.com
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
CONNECTED(00000003)
---
Host: www.amazon.co.jp
depth=3 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global CA G2
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = www.amazon.co.jp
verify return:1
CONNECTED(00000003)
---
Host: www.pixiv.net
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
verify return:1
depth=0 C = JP, ST = Tokyo, L = Shibuya-ku, OU = Development department, O = pixiv Inc., CN = *.pixiv.net
verify return:1
CONNECTED(00000003)
---
Host: dotinstall.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
verify return:1
depth=0 CN = dotinstall.com
verify return:1
CONNECTED(00000003)
---
Host: o2o.moneykit.net
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = JP, jurisdictionST = Tokyo, serialNumber = 0100-01-126313, C = JP, ST = Tokyo, L = Chiyoda-ku, O = Sony Bank Incorporated, OU = Members Service A, CN = o2o.moneykit.net
verify return:1
CONNECTED(00000003)
---
Host: www.b-ch.com
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = www.b-ch.com
verify return:1
CONNECTED(00000003)
---
Host: qiita.com
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = qiita.com
verify return:1
CONNECTED(00000003)
---
Host: www.4gamer.net
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = JP, O = "Cybertrust Japan Co., Ltd.", CN = Cybertrust Japan Public CA G3
verify return:1
depth=0 C = JP, ST = Tokyo, L = Chuou-ku, O = "Aetas,Inc", CN = *.4gamer.net
verify return:1
CONNECTED(00000003)
---
Host: 5ch.net
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = ssl365752.cloudflaressl.com
verify return:1
CONNECTED(00000003)
---
Host: secure.sakura.ad.jp
depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=2 O = "Cybertrust, Inc", CN = Cybertrust Global Root
verify return:1
depth=1 C = JP, O = "Cybertrust Japan Co., Ltd.", CN = Cybertrust Japan EV CA G2
verify return:1
depth=0 jurisdictionC = JP, serialNumber = 1200-01-079845, businessCategory = Private Organization, C = JP, ST = Osaka, L = Osaka-City, O = SAKURA Internet Inc., CN = secure.sakura.ad.jp
verify return:1
CONNECTED(00000003)
---
Host: www.nicovideo.jp
^C
socket: Bad file descriptor
connect:errno=22
Host: www.jorudan.co.jp
depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
verify return:1
depth=0 C = JP, ST = TOKYO, L = Shinjuku-ku, O = "JORUDAN CO.,LTD.", OU = Development, CN = *.jorudan.co.jp
verify return:1
CONNECTED(00000003)
---
Host: app.onelogin.com
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.onelogin.com
verify return:1
CONNECTED(00000003)
---
Host: cybozulive.com
depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.cybozulive.com
verify return:1
CONNECTED(00000003)
---
Host: portal.azure.com
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 5
verify return:1
depth=0 CN = portal.azure.com
verify return:1
CONNECTED(00000003)
---
Host: mackerel.io
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = JP, O = "Cybertrust Japan Co., Ltd.", CN = Cybertrust Japan Public CA G3
verify return:1
depth=0 C = JP, ST = Kyoto, L = Kyoto-shi, O = "Hatena Co., Ltd.", CN = *.mackerel.io
verify return:1
CONNECTED(00000003)
---
Host: anond.hatelabo.jp
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
verify return:1
depth=0 CN = *.hatelabo.jp
verify return:1
CONNECTED(00000003)
---

感想¶

• 実はニコニコ動画httpsでなかった。
• ルート認証局はジオトラスト、グローバルサイン、デジサート系か。
• AmazonやGoogleはやっぱり自分のところ経由してるんだなぁと。
• ５ちゃんねるはcloudflareを利用してたんだなぁ
• MS（Azure）、Amazon、Googleは流石自分の認証局。しかしこれらでもルートCAでないのか。

参考¶

• HTTPS通信の疎通確認に覚えておきたい３つのコマンド：
  https://qiita.com/greymd/items/68b0c40044a88171235a