身の回りのドメインのSSL証明書 » 履歴 » バージョン 2
« 前 -
バージョン 2/3
(差分) -
次 » -
最新版
健二 酒井, 2018/08/26 16:34
身の回りのドメインのSSL証明書¶
概要¶
仕事でSSL証明書どこから買おうか悩んでいたのでちょっと他のWebサービスなどを調査してみる。
ブラウザでポチポチするのも良いけど、せっかくなのでコマンドでやる。
調査方法¶
リンクを参考にする。以下のコマンドで情報を取得できるらしい。
openssl s_client -connect www.example.work:443 -showcerts < /dev/null 2>&1
実際叩くと:
$ openssl s_client -connect www.sylow-castle.work:443 -showcerts < /dev/null 2>&1 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.sylow-castle.work verify return:1 --- (以下略)
まぁ一杯出てくる。
最初のこの部分だけ拾えればいいかなー。
実施¶
一つずつは面倒なのでシェルスクリプトとかでがんばれないか検討する。
- 入力:ホスト名のリスト
- 出力:ホスト名:改行Connectedから---までを出したい。
while read line; do echo $line; if [[ $line =~ ^---.*$ ]]; then break; fi; done;
をパイプしてあげると。
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com verify return:1 CONNECTED(00000003) ---
一部気になるが必要な情報は取れているからいいや。一部をシェルスクリプトにして、入力ファイル作って実行
結果行¶
実施したのは2018年8月26日
cat ssl_access_target_hosts | while read line; do echo Host: ${line}; ssl_publisher.sh ${line}; done;
Host: www.sylow-castle.work depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.sylow-castle.work verify return:1 CONNECTED(00000003) --- Host: www.google.com depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1 depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com verify return:1 CONNECTED(00000003) --- Host: www.amazon.co.jp depth=3 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global CA G2 verify return:1 depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = www.amazon.co.jp verify return:1 CONNECTED(00000003) --- Host: www.pixiv.net depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 verify return:1 depth=0 C = JP, ST = Tokyo, L = Shibuya-ku, OU = Development department, O = pixiv Inc., CN = *.pixiv.net verify return:1 CONNECTED(00000003) --- Host: dotinstall.com depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018 verify return:1 depth=0 CN = dotinstall.com verify return:1 CONNECTED(00000003) --- Host: o2o.moneykit.net depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA verify return:1 depth=0 businessCategory = Private Organization, jurisdictionC = JP, jurisdictionST = Tokyo, serialNumber = 0100-01-126313, C = JP, ST = Tokyo, L = Chiyoda-ku, O = Sony Bank Incorporated, OU = Members Service A, CN = o2o.moneykit.net verify return:1 CONNECTED(00000003) --- Host: www.b-ch.com depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority verify return:1 depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify return:1 depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = www.b-ch.com verify return:1 CONNECTED(00000003) --- Host: qiita.com depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority verify return:1 depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify return:1 depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = qiita.com verify return:1 CONNECTED(00000003) --- Host: www.4gamer.net depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=1 C = JP, O = "Cybertrust Japan Co., Ltd.", CN = Cybertrust Japan Public CA G3 verify return:1 depth=0 C = JP, ST = Tokyo, L = Chuou-ku, O = "Aetas,Inc", CN = *.4gamer.net verify return:1 CONNECTED(00000003) --- Host: 5ch.net depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2 verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = ssl365752.cloudflaressl.com verify return:1 CONNECTED(00000003) --- Host: secure.sakura.ad.jp depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=2 O = "Cybertrust, Inc", CN = Cybertrust Global Root verify return:1 depth=1 C = JP, O = "Cybertrust Japan Co., Ltd.", CN = Cybertrust Japan EV CA G2 verify return:1 depth=0 jurisdictionC = JP, serialNumber = 1200-01-079845, businessCategory = Private Organization, C = JP, ST = Osaka, L = Osaka-City, O = SAKURA Internet Inc., CN = secure.sakura.ad.jp verify return:1 CONNECTED(00000003) --- Host: www.nicovideo.jp ^C socket: Bad file descriptor connect:errno=22 Host: www.jorudan.co.jp depth=3 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018 verify return:1 depth=0 C = JP, ST = TOKYO, L = Shinjuku-ku, O = "JORUDAN CO.,LTD.", OU = Development, CN = *.jorudan.co.jp verify return:1 CONNECTED(00000003) --- Host: app.onelogin.com depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.onelogin.com verify return:1 CONNECTED(00000003) --- Host: cybozulive.com depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority verify return:1 depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2 verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2 verify return:1 depth=0 OU = Domain Control Validated, CN = *.cybozulive.com verify return:1 CONNECTED(00000003) --- Host: portal.azure.com depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 5 verify return:1 depth=0 CN = portal.azure.com verify return:1 CONNECTED(00000003) --- Host: mackerel.io depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=1 C = JP, O = "Cybertrust Japan Co., Ltd.", CN = Cybertrust Japan Public CA G3 verify return:1 depth=0 C = JP, ST = Kyoto, L = Kyoto-shi, O = "Hatena Co., Ltd.", CN = *.mackerel.io verify return:1 CONNECTED(00000003) --- Host: anond.hatelabo.jp depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018 verify return:1 depth=0 CN = *.hatelabo.jp verify return:1 CONNECTED(00000003) ---
感想¶
- 実はニコニコ動画httpsでなかった。
- ルート認証局はジオトラスト、グローバルサイン、デジサート系か。
- AmazonやGoogleはやっぱり自分のところ経由してるんだなぁと。
- 5ちゃんねるはcloudflareを利用してたんだなぁ
- MS(Azure)、Amazon、Googleは流石自分の認証局。しかしこれらでもルートCAでないのか。
参考¶
- HTTPS通信の疎通確認に覚えておきたい3つのコマンド:
https://qiita.com/greymd/items/68b0c40044a88171235a