DEV Community: Rajesh Kothari

How to Discover SSL/TLS Certificates in Your Internal Network

Rajesh Kothari — Wed, 21 May 2025 09:06:48 +0000

Discovery is a crucial step before implementing any SSL/TLS management solution, especially in complex or distributed IT environments.

To identify how many SSL/TLS certificates an organization has — without reaching out to the Certificate Authority (CA) — you can follow a technical discovery approach.

Here's how:

🔍 1. Internal Network Scanning Tools Use network scanning tools to discover certificates in use across internal systems.

Recommended Tools:

Nmap with the ssl-cert script: bash

nmap -p 443 --script ssl-cert <IP-range>

This reveals certificate details (issuer, subject, expiry, etc.).

SSLyze – Fast scanning of SSL endpoints, retrieves cert data.
OpenVAS or Nessus – Enterprise-grade vulnerability scanners that can include cert discovery.

🗂 2. Asset Inventory Systems
Check existing asset or configuration management tools like:

CMDB (Configuration Management Databases)
Endpoint Management tools like Microsoft SCCM or Lansweeper These may contain data on certificate installations or services like IIS, Apache, or NGINX.

🧰 3. Agent-Based Certificate Discovery
Deploy agents that search local machines for certificate stores:

Windows Certificate Stores (certlm.msc, certmgr.msc)
Linux keystores or specific locations like /etc/ssl/, /etc/pki/, etc.

You can automate this with:
PowerShell scripts for Windows environments
Bash scripts or Ansible for Linux environments
(See below code for the same)

🌐 4. Passive Network Monitoring
Use tools that sniff traffic and identify SSL/TLS handshakes:

Wireshark (manual, good for spot-checks)
Zeek (formerly Bro) – Advanced passive analysis, identifies certificates without scanning

These tools detect certs as clients connect to services.

📦 5. Web Application & Server Logs
Check reverse proxies, load balancers (like F5, NGINX, HAProxy), and WAFs.

These often terminate SSL and may log cert details or point to where they're stored.

📊 6. Commercial Certificate Management Solutions
Some solutions offer discovery via:

Network sweepers
Agentless scanning
Integration with APIs or DevOps pipelines

Examples: Venafi, AppViewX, Keyfactor, Sectigo Certificate Manager.

Note: These tools often don’t need the CA's help. They just look at the systems that are using the certificates.

✅ Summary
To discover how many SSL certificates an organization has without contacting the CA, you should:

Use network scans and agent-based discovery
Query certificate stores and configuration files
Leverage logs and monitoring tools
Combine multiple methods for complete visibility

PowerShell Script: Discover Issued Certificates in Windows Personal Store

🔍 Targets

LocalMachine\My (Personal Certificates for System)
CurrentUser\My (Personal Certificates for Logged-in User)

$stores = @(
    "LocalMachine\My",
    "CurrentUser\My"
)

$results = @()

foreach ($store in $stores) {
    $storeScope, $storeName = $store -split "\\"
    $location = if ($storeScope -eq "LocalMachine") {
        [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine
    } else {
        [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
    }

    $x509Store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, $location)
    $x509Store.Open("ReadOnly")

    foreach ($cert in $x509Store.Certificates) {
        if ($cert.HasPrivateKey -and $cert.Subject -ne $null) {
            $results += [PSCustomObject]@{
                Subject      = $cert.Subject
                Issuer       = $cert.Issuer
                Thumbprint   = $cert.Thumbprint
                Expires      = $cert.NotAfter
                FriendlyName = $cert.FriendlyName
                Store        = $store
            }
        }
    }

    $x509Store.Close()
}

$results | Sort-Object Expires | Format-Table –AutoSize

Notes

Run PowerShell as Administrator to access LocalMachine stores.
Modify the $stores array to add more stores if needed (TrustedPeople, AuthRoot, etc.).
You can export results to CSV:

$results | Export-Csv -Path "certificates_report.csv" -NoTypeInformation

Bash Script: Discover Installed SSL/TLS Certificates on Linux

🔍 What it Does:

Scans common system paths where SSL certificates are stored: /etc/ssl/certs, /etc/pki/tls/certs, Apache, NGINX, and custom cert folders
Extracts certificate metadata using openssl
Outputs Subject, Issuer, Expiry Date, and File Path

#!/bin/bash

# Common locations to scan
CERT_DIRS=(
    "/etc/ssl/certs"
    "/etc/pki/tls/certs"
    "/etc/nginx"
    "/etc/apache2"
    "/usr/local/share/ca-certificates"
    "/opt"
)

echo -e "Found certificates:\n"
echo -e "File Path\t\t\tSubject\t\t\tIssuer\t\t\tExpires"

# Scan for certificate files
for DIR in "${CERT_DIRS[@]}"; do
    if [ -d "$DIR" ]; then
        find "$DIR" -type f \( -name "*.crt" -o -name "*.pem" -o -name "*.cer" \) 2>/dev/null | while read -r CERTFILE; do
            if openssl x509 -in "$CERTFILE" -noout &>/dev/null; then
                SUBJECT=$(openssl x509 -in "$CERTFILE" -noout -subject | cut -d'=' -f2-)
                ISSUER=$(openssl x509 -in "$CERTFILE" -noout -issuer | cut -d'=' -f2-)
                EXPIRES=$(openssl x509 -in "$CERTFILE" -noout -enddate | cut -d'=' -f2)
                echo -e "$CERTFILE\t$SUBJECT\t$ISSUER\t$EXPIRES"
            fi
        done
    fi
done

How to Secure Your Intranet with SSL: A Developer’s Guide

Rajesh Kothari — Fri, 09 May 2025 15:05:13 +0000

Introduction:

Intranet applications are often the backbone of an organization’s internal operations—HR systems, project management tools, databases, and more. Yet, many companies overlook securing these internal portals, assuming they are safe behind firewalls. This leaves critical data vulnerable to interception and unauthorized access.

In this guide, we’ll explore the best practices for deploying SSL certificates in intranet environments, with step-by-step explanations on implementation, automation, and regular security audits. Plus, we’ll explain why SecureNT SSL Certificates are a smarter choice over OpenSSL for internal applications.

⸻

1. Why Intranet Applications Need SSL

Many IT teams prioritize SSL for public-facing websites but neglect internal applications. This is a critical oversight. Even within internal networks, man-in-the-middle attacks, packet sniffing, and insider threats are real dangers. SSL encryption ensures that all data transferred within your intranet is secure, even from internal risks.

Key Benefits:

Data encryption across internal apps
Secure authentication for users
Protection against data interception

⸻

2. Step-by-Step SSL Deployment for Internal Applications

Here’s a streamlined approach to deploying SSL certificates across your internal network:

Step 1: Generate a CSR (Certificate Signing Request)

openssl req -new -newkey rsa:2048 -nodes -keyout intranet.key -out intranet.csr
Step 2:

Option 1: Get a Trusted SSL Certificate from a CA - Recommended.

Submit the CSR (intranet.csr) to a Private Certificate Authority (Pvt CA) like SecureNT. You will receive the following files:

intranet.crt → The signed SSL certificate
ca_bundle.crt → CA intermediate certificates

Install the issued SSL certificate:

sudo cp intranet.crt /etc/ssl/certs/ sudo cp intranet.key /etc/ssl/private/ sudo cp ca_bundle.crt /etc/ssl/certs/

Option 2: Generate a Self-Signed SSL Certificate (For Internal Use)

If you want to generate a self-signed certificate for testing or private networks, use this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout intranet.key -out intranet.crt

Optional: If you want to create a PFX (PKCS#12) file for Windows Servers or Azure, run:

openssl pkcs12 -export -out intranet.pfx -inkey intranet.key -in intranet.crt

Step 3: Update your web server configuration (e.g., Apache or Nginx)

For Apache:
<VirtualHost *:443> ServerName intranet.example.com SSLEngine on SSLCertificateFile /etc/ssl/certs/intranet.crt SSLCertificateKeyFile /etc/ssl/private/intranet.key </VirtualHost>

For Nginx:

server { listen 443 ssl; server_name intranet.example.com; ssl_certificate /etc/ssl/certs/intranet.crt; ssl_certificate_key /etc/ssl/private/intranet.key; ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt; }

Step 4: Restart your server
sudo systemctl restart apache2

⸻

3. OpenSSL vs. SecureNT Intranet SSL: Which Is Better?

While OpenSSL is a powerful open-source tool for generating SSL certificates, it’s not ideal for intranet use in corporate settings.

Here’s why:
In the case of Self-Signed Certificates, there is no Trust Chain. The Private Key of the Root CA is stored within the PFX file. And these PFX files are stored on local PC or on Servers. They have no or weak passwords. If anyone with ill intentions gets to access these PFX files, he can manage to get the Private Key. He can use the Private Key to monitor the network traffic in unencrypted form on the internal network using sniffer tools. So, usage of Self-Signed SSL is fraught with severe data security risks.

⸻

4. Automate SSL Certificate Renewal

Manual SSL renewals are error-prone and can lead to expired certificates, causing service disruptions. Automated tools like Certbot can handle OpenSSL certificates, but they still require additional configuration.

sudo certbot renew --quiet

With SecureNT, renewal is handled by prior reminders, ensuring there’s no downtime and no last-minute rush to avoid expiration.

⸻

5. Perform Regular Security Audits

Regular audits are crucial to maintaining secure intranet environments. Tools like Qualys SSL Labs and OpenVAS help you scan for:

Weak ciphers
Expired certificates
Misconfigurations

Example Command:
nmap --script ssl-enum-ciphers -p 443 intranet.example.com

⸻

6. Monitor and Log SSL Activity

Real-time monitoring ensures any suspicious activity is detected early. Use tools like Splunk or Graylog to track:

Failed handshakes
Certificate expiry alerts
Unauthorized access attempts

⸻

Conclusion:

Securing your intranet is not just about ticking a compliance checkbox—it’s about actively protecting your internal data from breaches and unauthorized access. While OpenSSL might be suitable for basic testing and development, SecureNT SSL Certificates provide the reliability, automation, and browser-trusted security needed for real-world intranet environments.