Freeware tool to check if an SSL cert is using SHA-1 or SHA-2

I have a set of a few hundred SSL certs but don't have access to those internal websites/URLs.

Is there any tool to check to read the certs if they're SHA-1 or SHA2 (ie SHA256) ?

The certs content looks like the following:

-----BEGIN CERTIFICATE-----
MIIGjDCCBXSgAwIBAgIEUNMnvTANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
. . .
-----END CERTIFICATE-----


The certs are loaded onto an internal F5 loadbalancer (for intranet) which I don't have access to as well
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
I was also given a backup image (in UCS format) of that F5 loadbalancer.

Are the certs the right place to look at them or is there another file/place in
the UCS backup image (which I can extract out using 7zip / WinRAR) to
quickly review if SHA-1 or 2 is used for each of the cert?
Zephyr ICTCloud ArchitectCommented:
So you only have the .csr files?

You can check if they are signed with sha1 or 2 via openssl tool, example:

openssl req -noout -text -in your-cert.csr | grep 'Signature Algorithm' 

Open in new window


If you see sha1WithRSAEncryption the certificate is signed with SHA1
if you see sha256WithRSAEncryption the certificate is signed with SHA2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Well the files I got domain_FQDNName.crt_abcde_1
where abcde is a 5-digit number

Any idea where I could download a copy of openssl.exe for Win XP ?
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Zephyr ICTCloud ArchitectCommented:
You could try to rename the files (loose the 5-digit number)... Or try with the number in place, might work like it is.
You can download Windows binaries in the link I provided above ... or here and here ... Same links.
sunhuxAuthor Commented:
http://indy.fulgan.com/SSL/
I downloaded one of those 32bit windows zip from the above : after unzipping &
tried to run the openssl.exe it gave error below:

C:\openssl101m>openssl.exe
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL>
sunhuxAuthor Commented:
Found the .csr files in the UCS backup image of the LB, they are under the folder
\configsync-2.0-1-Linux-2.6.32279.19.1.6.5.8664.im\config\ssl\ssl.csr

Ok, I just figured that I'll need to ignore the message "cant open config file  .../openssl.cnf"  :
D:\lbf5\cert>c:openssl req -noout -text -in a.b.c.com.csr |find/i "Signat
"
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Unable to load config info from /usr/local/ssl/openssl.cnf
    Signature Algorithm: sha1WithRSAEncryption

So in the above case, it's an  SHA1 cert, right?
Zephyr ICTCloud ArchitectCommented:
Hi, sorry got distracted ...

Yep, that certificate is signed with SHA1 ... Correct
sunhuxAuthor Commented:
We have 3 pairs of F5 LB in 3 different network zones.

For one of the zone, after restoring the entire backup image to my laptop & did
a full search from the top directory, it's weird that there's only a small handful of
cert/csr files only;  I issued  " dir/s *.*csr* " .

What did I miss?  Any idea?  On the 'good' LB, I'll find numerous *.csr files in them

Below is the dir output:

 Directory of D:\lbf5\ZZZ\config\ssl

03/27/2015  10:28 PM    <DIR>          ssl.csr
               0 File(s)              0 bytes

 Directory of D:\lbf5\ZZZ\config\ssl\ssl.csr

06/09/2012  04:31 PM               777 default.csr
05/19/2014  01:01 PM             1,070 www.hrportaluat.com.au.csr
               2 File(s)          1,847 bytes

 Directory of D:\lbf5\ZZZ\var\tmp\filestore_temp\files_d\Common_d\certificate_key_d

05/28/2014  04:00 PM             1,675 _Common_S10397-aaa.oooservice.com.au_CSR.
key_22152_1
               1 File(s)          1,675 bytes

 Directory of D:\lbf5\ZZZ\var\tmp\ts_db.save_dir_21718.cstmp

03/27/2015  09:12 AM                60 ts_db.data.DCC.ACCOUNT_CSRF.cstmp
03/27/2015  09:12 AM                 0 ts_db.data.DCC.ACCOUNT_CSRF_URLS.cstmp
03/27/2015  09:12 AM               355 ts_db.data.DCC.ACCOUNT_CSRF_URLS_REGEXES.cstmp
03/27/2015  09:12 AM               183 ts_db.data.PLC.PL_POLICY_CSRF.cstmp
03/27/2015  09:12 AM                 0 ts_db.data.PLC.PL_POLICY_CSRF_URLS.cstmp
03/27/2015  09:12 AM               598 ts_db.schema.DCC.ACCOUNT_CSRF.cstmp
03/27/2015  09:12 AM               426 ts_db.schema.DCC.ACCOUNT_CSRF_URLS.cstmp
03/27/2015  09:12 AM               430 ts_db.schema.DCC.ACCOUNT_CSRF_URLS_REGEXES.cstmp
03/27/2015  09:12 AM               619 ts_db.schema.PLC.PL_POLICY_CSRF.cstmp
03/27/2015  09:12 AM               366 ts_db.schema.PLC.PL_POLICY_CSRF_URLS.cstmp
              10 File(s)          3,037 bytes
Zephyr ICTCloud ArchitectCommented:
Is it possible this particular F5 was in a zone that doesn't need a lot of certificates? Maybe it's used for more or less than load balancing? Example F5 LTM...
sunhuxAuthor Commented:
I was sure this zone has at least 30+ websites with SSL as our inventory/CMDB
record shows.  I could use IE browser to browse the websites to check the sites
for SHA1/2 but it's much slower & browsing via Internet are often going thru
the CDN/clean pipe providers, so the cert that I got to see is the CDN's cert, right?

On yet another LB, after combing the entire UCS image backup, found numerous
_Common_FullDomainName.crt_abcde_1   files where the FullDomainName
matches those of our but openssl could not retrieve the right info:

D:\lbf5\>c:openssl req -noout -text -in "_Common_www1.iiis.com.au.crt_26985_1" 2> nul |find/i "Signature Algorithm"
4320:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:696:Expecting: CERTIFICATE REQUEST
sunhuxAuthor Commented:
One other option is to poll directly via Internet using openssl as the other 2 zones
are accessible from Internet but will need some help.  Does the output below
mean it's SHA-1 cert as shown by RC4-SHA ?   If not, what's the exact command?

D:\lbf5c:openssl s_client -connect www.ssss.com.au:443 2>nul |find/i "SHA"
SSL handshake has read 3565 bytes and written 611 bytes
New, TLSv1/SSLv3, Cipher is RC4-SHA
    Cipher    : RC4-SHA
Zephyr ICTCloud ArchitectCommented:
There are websites out on the Internet that automatically check if you have sha1 or sha2 one example is https://shaaaaaaaaaaaaa.com but there are more, I'll list them if I remember them or find them again.

As for RC4-SHA is something else, it's not SHA1 or SHA2, it is however considered very unsafe, better not use it.
Zephyr ICTCloud ArchitectCommented:
I've recently done an export of a F5 Big-IP device, I also found the certificates, but they aren't all there in "plain form", certain certificates don't export well, especially the ones with special characters in them, like wildcards (*.domain.com).

As for the CDN certificates, it could be, depends on the fact if the url changes (to the cdn one), could also be that if the url doesn't change a wildcard certificate is used...
sunhuxAuthor Commented:
If a website goes thru CDN/clean pipe provider before being served to the Internet,
does  https://shaaaaaaaaaaaaa.com  tell us the cert type (ie SHA1 or 2) of the CDN or
the website?
Zephyr ICTCloud ArchitectCommented:
The only way to know for sure is to test it, just fill in the domain here and you'll get a very detailed report on what is (not) good about your domain, where and what kind of certificates are used, it shows all the url's used for the domain, etc ...

Normally you set up cname records for your CDN's, so if these are covered under your certificate (perhaps a wildcard) you should normally see the same certificate for the entire domain and the CDN's.
sunhuxAuthor Commented:
Take an example, if  I key in the following public IP of a website:
  https://www.digicert.com/sha-2-compatibility.htm
in the above link, where does it tell us that the cert is from the CDN or F5 LB or the web
server itself?
Zephyr ICTCloud ArchitectCommented:
I'm not sure digicert has CDN configured, it does have a certificate that is allowed for multiple names

Common names:	www.digicert.com
Alternative names: www.digicert.com digicert.com content.digicert.com www.origin.digicert.com login.digicert.com api.digicert.com

Open in new window


This can therefor be configured on an F5 or the webserver itself, the names are just that names, configured in DNS. As F5 is just in-between device that just load-balances...

Are you trying to connect a certificate to an F5 specifically? To know which F5 it came from?

That will be a difficult thing to do ... You'll need to check user-agents or proxy-agents in the header with wget or curl and even then it will not be a guarantee.

CDN is, as I said, usually a CNAME DNS record, something like cdn.yourdomain.com and cdn1.yourdomain.com and so on ... the real domain behind it is "hidden"... So you get a certificate covering all those CNAMEs and the certificate would be on your server or F5, not coming from the CDN.

So, if your domain has some kind of CNAMEs configured that seem to follow up like cdn1, cdn2 ... or similar, you are using a CDN, the certificate for your domain will include these names or the certificate will be a wildcard...

There is another way to use SSL with CDN as explained here by CloudFlare
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.