How to check externally if a site/URL is using a Netrust cert (as non-FQDN Netrust cert) will be deprecated

Is there any tool (as an external user) that I could verify if a URL is using
a) Netrust cert
b) that it's  non-FQDN

I'm trying to address the issue below:

Date of Original Advisory:      11 March 2015

Vulnerability Title :
Non-FQDN Certificates are Being Deprecated
Vulnerability Description       Publicly-trusted certificates issued with a non-fully qualified domain name (non-FQDN) could be used to attack an enterprise using the same name for internal usages.
The CA/Browser Forum decided to mitigate the risk by deprecating the issuance of certificates with non-FQDNs. As defined in the Baseline Requirements, the use of non-FQDNs in publicly trusted certificates is being deprecated by 1 November 2015. Existing certificates containing non-FQDNs will be revoked by all public Certification Authorities by 1 October 2016.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
why be concerned about issued certificates? 

this change from using anything as a Subject name to the minimum of using domain validation as a minimum where there can be only 1 publicly available fqdn vice the thousands if not millions of  DC01's that may exist
btanExec ConsultantCommented:
On the internet, only fully-qualified domain names are public and routable. The issuance of certificates for non-unique names and addresses, such as “www”, “www.local”, or “” is already deprecated. In fact, SSL observatory has listed it and have some scripts (.py and .sql). For info, SSL observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web

It queries the SSL Observatory database to find certificates with names that are unqualified names (like localhost), local names (like webmail.local), or RFC 1918 IP addresses. It then uses NSS certutil and vfychain
to see if the certificates are still valid.

Also Google Chrome version 30 (as example) is already showing that. E.g. if the Web server has a non-FQDN and an SSL certificate from a public CA, upon browsing the site chrome browser will put an ‘X’ through the lock icon and a cross through ‘https.’  This is a warning saying “Identity not verified” and “You are connected to a server using a name only valid within your network, which an external authority has no way to validate ownership of.”

Entrust guidance paper can be handy with its FAQ
sunhuxAuthor Commented:
Could I run the openssl utility at command prompt to find out if a URL is
a) using Netrust cert
b) using non-FQDN ?

Do provide the exact openssl command syntax
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

btanExec ConsultantCommented:
openssl with x509 can be used to display certificate information, but it does not necessarily flagged it as nonFQDN or Nettrust cert. This is manually check on the subject name, subject alt name (san) and issuer field in the SSL cert
e.g. Display the contents of a certificate:  openssl x509 -in cert.pem -noout -text
For the SAN it should be showing under the " X509v3 Subject Alternative Name: " after the text of the cert interested.
e.g. X509v3 Subject Alternative Name:,

Some just removed unnecessarily option such as (added to the cert text list out)
-certopt no_subject, no_header, no_version, no_serial, no_signame, no_validity, no_subject, no_issuer, no_pubkey, no_sigdump, no_aux
There is also other using openssl s_client -connect to a SSL site to issue out "-showcerts", you should also be able to see the "CN="

overall, there is ssl observatory script shared earlier on supposed these cannot be provisioned to server unless I understand wrongly since the fqdn cannot even be resolved as ssl connection to the subject name. even online SSLtest using "" can fail...still best to get the cert and check offline...or script program for that parsing after getting all cert from web server concerned.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Entrust has "Entrust Discovery" but on commercial engagement which may not be enticing if you just want to check few machine

Also ssllabs-scan is available as command line as well (on top of the online ones), but as it is recent release the exporting of result in csv is yet to be part of it and not to say as report shown in the online version used by many for web security assessment
sunhuxAuthor Commented:
Ok, got it, for eg:
openssl s_client -connect -showcerts
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.