How to check externally if a site/URL is using a Netrust cert (as non-FQDN Netrust cert) will be deprecated

Is there any tool (as an external user) that I could verify if a URL is using
a) Netrust cert
b) that it's  non-FQDN

I'm trying to address the issue below:

Date of Original Advisory:      11 March 2015

Vulnerability Title :
Non-FQDN Certificates are Being Deprecated
Vulnerability Description       Publicly-trusted certificates issued with a non-fully qualified domain name (non-FQDN) could be used to attack an enterprise using the same name for internal usages.
The CA/Browser Forum decided to mitigate the risk by deprecating the issuance of certificates with non-FQDNs. As defined in the Baseline Requirements, the use of non-FQDNs in publicly trusted certificates is being deprecated by 1 November 2015. Existing certificates containing non-FQDNs will be revoked by all public Certification Authorities by 1 October 2016.
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
why be concerned about nettrust.net issued certificates? https://www.netrust.net/index.php 

this change from using anything as a Subject name to the minimum of using domain validation as a minimum where there can be only 1 publicly available fqdn vice the thousands if not millions of  DC01's that may exist
0
btanExec ConsultantCommented:
On the internet, only fully-qualified domain names are public and routable. The issuance of certificates for non-unique names and addresses, such as “www”, “www.local”, or “192.168.0.1” is already deprecated. In fact, SSL observatory has listed it and have some scripts (.py and .sql). For info, SSL observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web

It queries the SSL Observatory database to find certificates with names that are unqualified names (like localhost), local names (like webmail.local), or RFC 1918 IP addresses. It then uses NSS certutil and vfychain
to see if the certificates are still valid. http://www.prism.gatech.edu/~gmacon3/ssl-observatory/

Also Google Chrome version 30 (as example) is already showing that. E.g. if the Web server has a non-FQDN and an SSL certificate from a public CA, upon browsing the site chrome browser will put an ‘X’ through the lock icon and a cross through ‘https.’  This is a warning saying “Identity not verified” and “You are connected to a server using a name only valid within your network, which an external authority has no way to validate ownership of.”

Entrust guidance paper can be handy with its FAQ
http://www.entrust.com/wp-content/uploads/2013/05/WP_FQDN_Deprecation_June2012.pdf
0
sunhuxAuthor Commented:
Could I run the openssl utility at command prompt to find out if a URL is
a) using Netrust cert
b) using non-FQDN ?

Do provide the exact openssl command syntax
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

btanExec ConsultantCommented:
openssl with x509 can be used to display certificate information, but it does not necessarily flagged it as nonFQDN or Nettrust cert. This is manually check on the subject name, subject alt name (san) and issuer field in the SSL cert https://www.openssl.org/docs/apps/x509.html
e.g. Display the contents of a certificate:  openssl x509 -in cert.pem -noout -text
For the SAN it should be showing under the " X509v3 Subject Alternative Name: " after the text of the cert interested.
e.g. X509v3 Subject Alternative Name:  DNS:www.example.com, DNS:example.com

Some just removed unnecessarily option such as (added to the cert text list out)
-certopt no_subject, no_header, no_version, no_serial, no_signame, no_validity, no_subject, no_issuer, no_pubkey, no_sigdump, no_aux
There is also other using openssl s_client -connect to a SSL site to issue out "-showcerts", you should also be able to see the "CN=" http://how2ssl.com/articles/openssl_commands_and_tips/

overall, there is ssl observatory script shared earlier on supposed these cannot be provisioned to server unless I understand wrongly since the fqdn cannot even be resolved as ssl connection to the subject name. even online SSLtest using "https://www.ssllabs.com/ssltest/analyze.html?d=fqdn" can fail...still best to get the cert and check offline...or script program for that parsing after getting all cert from web server concerned.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Entrust has "Entrust Discovery" but on commercial engagement which may not be enticing if you just want to check few machine http://www.entrust.net/discovery/index.htm

Also ssllabs-scan is available as command line as well (on top of the online ones), but as it is recent release the exporting of result in csv is yet to be part of it and not to say as report shown in the online version used by many for web security assessment
https://github.com/ssllabs/ssllabs-scan/
0
sunhuxAuthor Commented:
Ok, got it, for eg:
openssl s_client -connect www.facebook.com:443 -showcerts
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.