CertificatesTroubleshoot

Exports all certificate-related information from the Python Docker container and decodes it using RFC. It also retrieves the certificate located in the specified endpoint.

python · Troubleshoot

Source

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401
import os
import socket
import ssl
from pathlib import Path
from typing import Any
import subprocess
import re
import pem

# mypy: ignore-errors
from cryptography import x509
from cryptography.x509.extensions import ExtensionNotFound
from cryptography.hazmat.backends import default_backend


def parse_certificate_object_identifier_name(certificate: x509.Name, oid: x509.ObjectIdentifier) -> list[str] | None:
    """Get attribute from decoded certificate.

    Args:
        certificate: Certificate as x509.Certificate .
        oid: Enum value from x509.NameOID .

    Returns:
        list: Decoded values.
    """
    attributes = [attr.value for attr in certificate.get_attributes_for_oid(oid)]

    return attributes if attributes else None


def parse_certificate_object_identifier_extentions(certificate: x509.Extensions, oid: x509.ObjectIdentifier) -> list[str] | None:
    """Get attribute from decoded certificate extension.

    Args:
        certificate: Certificate as x509.Certificate .
        oid: Enum value from x509.ExtentionOID .

    Returns:
        list: Decoded values.
    """
    try:
        values = certificate.get_extension_for_oid(oid).value
        attributes = [item.value for item in values]  # type: ignore[attr-defined]
    except ExtensionNotFound:
        attributes = []

    return attributes if attributes else None


def certificate_to_ec(certificate_name: x509.Name) -> dict:
    """Translate abstrcat object x509.Name to entry context.

    Args:
        certificate_name: Issuer or subject.

    Returns:
        dict: Corresponding enrty context.
    """
    return {
        # Contact details
        "EmailAddress": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.EMAIL_ADDRESS),
        "SurName": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.SURNAME),
        # Location related
        "CountryName": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.COUNTRY_NAME),
        "StateOrProvinceName": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.STATE_OR_PROVINCE_NAME),
        "LocalityName": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.LOCALITY_NAME),
        "JurisdictionCountryName": parse_certificate_object_identifier_name(
            certificate_name, x509.NameOID.JURISDICTION_COUNTRY_NAME
        ),
        "JurisdictionLocalityName": parse_certificate_object_identifier_name(
            certificate_name, x509.NameOID.JURISDICTION_LOCALITY_NAME
        ),
        "JurisdictionStateOrProvinceName": parse_certificate_object_identifier_name(
            certificate_name, x509.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME
        ),
        "PostalAddress": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.POSTAL_ADDRESS),
        "PostalCode": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.POSTAL_CODE),
        "StreetAddress": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.STREET_ADDRESS),
        # Domain / URL
        "DomainNameQualifier": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.DN_QUALIFIER),
        "DomainComponent": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.DOMAIN_COMPONENT),
        "GenerationQualifier": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.GENERATION_QUALIFIER),
        "GivenName": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.GIVEN_NAME),
        "CommonName": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.COMMON_NAME),
        # Business
        "BusinessCategory": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.BUSINESS_CATEGORY),
        "OrganizationName": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.ORGANIZATION_NAME),
        "OrganizationalUnitName": parse_certificate_object_identifier_name(
            certificate_name, x509.NameOID.ORGANIZATIONAL_UNIT_NAME
        ),
        # General
        "Title": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.TITLE),
        "SerialNumber": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.SERIAL_NUMBER),
        "Pseudonym": parse_certificate_object_identifier_name(certificate_name, x509.NameOID.PSEUDONYM),
    }


def certificate_extentions_to_ec(certificate_ext: x509.Extensions) -> dict:
    """Translate abstrcat object x509.Name to entry context.

    Args:
        certificate_ext: Certificate extension.

    Returns:
        dict: Corresponding enrty context.
    """
    return {
        "IssuerAlternativeName": parse_certificate_object_identifier_extentions(
            certificate_ext, x509.ExtensionOID.ISSUER_ALTERNATIVE_NAME
        ),
        "SubjectAlternativeName": parse_certificate_object_identifier_extentions(
            certificate_ext, x509.ExtensionOID.SUBJECT_ALTERNATIVE_NAME
        ),
    }


def parse_certificate(certificate: str) -> dict:
    """Decode certificate from

    Args:
        certificate: certificate as string.

    Returns:
        dict: Corresponding enrty context.
    """
    decode_certificate = x509.load_pem_x509_certificate(certificate.encode(), default_backend())
    return {
        "Raw": certificate,
        "Decode": {
            "Issuer": certificate_to_ec(decode_certificate.issuer),
            "Subject": certificate_to_ec(decode_certificate.subject),
            "Extentions": certificate_extentions_to_ec(decode_certificate.extensions),
            "NotValidBefore": str(decode_certificate.not_valid_before),
            "NotValidAfter": str(decode_certificate.not_valid_after),
            "Version": decode_certificate.version.value,
        },
    }


def parse_all_certificates(certifcates: str) -> list[dict[Any, Any]]:
    """Parse all certificates in a given string.

    Args:
        certifcates: certificates as a single string.

    Returns:
        list: Corresponding enrty context.
    """
    return [parse_certificate(cert.as_text()) for cert in pem.parse(certifcates.encode())]


def docker_container_details() -> dict:
    """Gather docker container SSL/TLS Certificate information (Which set by demisto engine), The following details:
            1. Global veriables which used by requests module:
                a. SSL_CERT_FILE
                b. REQUESTS_CA_BUNDLE
            2. Custom python ssl file located in docker container - SSL_CERT_FILE

    Returns:
        dict: Corresponding enrty context.
    """
    ssl_cert_file_env = os.environ.get("SSL_CERT_FILE")
    custom_certs = []
    if ssl_cert_file_env:
        container_ca_file = Path(ssl_cert_file_env)
        certificates = "" if not container_ca_file.is_file() else container_ca_file.read_text()
        custom_certs = parse_all_certificates(certificates)
        demisto.debug(f"custom certs len: {len(custom_certs)}")
    return {
        "ShellVariables": {
            "SSL_CERT_FILE": os.environ.get("SSL_CERT_FILE"),
            "CERT_FILE": os.environ.get("REQUESTS_CA_BUNDLE"),
        },
        "CustomCertificateAuthorities": custom_certs[:5],
    }


def get_certificates(endpoint: str, port: str) -> str:
    """Download certificate from remote server.

    Args:
        endpoint: url to get certificate from.
        port: endpoint port.

    Returns:
        str: certificate string containing the certs in PEM format.
    """
    mode = demisto.getArg("mode") or "python"
    if mode == "openssl":
        return get_certificate_openssl(endpoint, port)
    else:
        hostname = endpoint
        conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
        sock = context.wrap_socket(conn, server_hostname=hostname)
        sock.settimeout(60)  # make sure we don't get stuck
        sock.connect((hostname, int(port)))
        peer_cert = sock.getpeercert(True)
        if peer_cert:
            return ssl.DER_cert_to_PEM_cert(peer_cert)
        else:
            return ""


def get_certificate_openssl(endpoint, port):
    try:
        debug_args = ["-msg", "-debug"] if is_debug_mode() else []
        demisto.debug("before opening openssl process")
        process = subprocess.Popen(
            ["openssl", "s_client", *debug_args, "-connect", f"{endpoint}:{port}", "-showcerts"],
            text=True,
            stderr=subprocess.STDOUT,
            stdout=subprocess.PIPE,
            stdin=subprocess.PIPE,
        )
        demisto.debug("opened process")
        openssl_res, _ = process.communicate("Q\n", timeout=60)
        demisto.debug(f"openssl process return code {process.returncode}")
        demisto.debug(f"openssl output: {openssl_res}")
        return "\n".join(re.findall(r"^-----BEGIN CERT.*?^-----END CERTIFICATE-----", openssl_res, re.DOTALL | re.MULTILINE))
    except subprocess.TimeoutExpired as e:
        process.kill()  # Terminate the process
        openssl_res, _ = process.communicate()  # Capture any remaining output
        demisto.error(f"openssl command timed out after 60 seconds {e}")
        demisto.error(f"Partial openssl output: {openssl_res}")
        return_error("openssl command timed out, see logs for more details.")


def endpoint_certificate(endpoint: str, port: str) -> dict:
    """Get certificate issuer from endpoint.

    Args:
        endpoint: Enpoint url:port, if no port will be 443 by default.
        port: endpoint port.

    Returns:
        dict: Corresponding enrty context.
    """
    certificates = get_certificates(endpoint, port)
    demisto.debug(f"endpoint: {endpoint} port: {port} certs: {certificates}")
    return {"Identifier": endpoint, "Certificates": parse_all_certificates(certificates)}


def build_human_readable(entry_context: dict) -> str:
    human_readable = ""
    entry_context = entry_context.get("TroubleShoot", {})
    # Engine docker container
    engine: dict = dict_safe_get(entry_context, ["Engine", "SSL/TLS"], {}, dict)
    human_readable += "## Docker container engine - custom certificate\n"
    engine_cer_general = [dict_safe_get(item, ["Decode"]) for item in engine.get("CustomCertificateAuthorities", {})]
    engine_cer_issuer = [dict_safe_get(item, ("Decode", "Issuer")) for item in engine.get("CustomCertificateAuthorities", {})]
    engine_cer_subjects = [dict_safe_get(item, ("Decode", "Subject")) for item in engine.get("CustomCertificateAuthorities", {})]
    engine_cer_extentions = [
        dict_safe_get(item, ("Decode", "Extentions")) for item in engine.get("CustomCertificateAuthorities", {})
    ]
    engine_vars = engine.get("ShellVariables")
    human_readable += tableToMarkdown(name="Enviorment variables", t=engine_vars)
    human_readable += (
        tableToMarkdown(name="General", t=engine_cer_general, headers=["NotValidBefore", "NotValidAfter", "Version"])
        if engine_cer_extentions
        else ""
    )
    human_readable += tableToMarkdown(name="Issuer", t=engine_cer_issuer, removeNull=True) if engine_cer_issuer else ""
    human_readable += tableToMarkdown(name="Subject", t=engine_cer_subjects, removeNull=True) if engine_cer_subjects else ""
    human_readable += (
        tableToMarkdown(name="Extentions", t=engine_cer_extentions, removeNull=True) if engine_cer_extentions else ""
    )
    # Endpoint
    endpoint: dict = entry_context.get("Endpoint", {}).get("SSL/TLS", {})
    endpoint_cer_general = [dict_safe_get(item, ["Decode"]) for item in endpoint.get("Certificates", {})]
    endpoint_cer_issuer = [dict_safe_get(item, ("Decode", "Issuer")) for item in endpoint.get("Certificates", {})]
    endpoint_cer_subject = [dict_safe_get(item, ("Decode", "Subject")) for item in endpoint.get("Certificates", {})]
    endpoint_cer_extentions = [dict_safe_get(item, ("Decode", "Extentions")) for item in endpoint.get("Certificates", {})]
    human_readable += f"\n\n## Endpoint certificate - {endpoint.get('Identifier')}\n"
    human_readable += tableToMarkdown(
        name="General", t=endpoint_cer_general, headers=["NotValidBefore", "NotValidAfter", "Version"]
    )
    human_readable += tableToMarkdown(name="Issuer", t=endpoint_cer_issuer, removeNull=True)
    human_readable += tableToMarkdown(name="Subject", t=endpoint_cer_subject, removeNull=True)
    human_readable += tableToMarkdown(name="Extentions", t=endpoint_cer_extentions, removeNull=True)
    human_readable += "\n"

    return human_readable


def main():
    try:
        entry_context = {
            "TroubleShoot": {
                "Engine": {
                    "SSL/TLS": docker_container_details(),
                },
                "Endpoint": {
                    "SSL/TLS": endpoint_certificate(demisto.getArg("endpoint"), demisto.getArg("port") or "443"),
                },
            }
        }
        human_readable = build_human_readable(entry_context)

        return_outputs(human_readable, entry_context, {})
    except Exception as e:
        return_error(f"Failed to execute Certificate Troubleshoot.\n Error: {str(e)}")


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

This automation exports all custom certificate-related information from the Python Docker container and decode it using RFC. In addition, it will get the certificate located in the specified endpoint.

Notes


After following the tutorial (Cortex XSOAR 6.13) or tutorial (Cortex XSOAR 8 Cloud) or tutorial (Cortex XSOAR 8.7 On-prem) to update your custom certificate in Cortex XSOAR Server/ Cortex XSOAR Engine, validate the configuration applied using this script.

The script supports two modes of operation:

  1. python: Uses the Python built-in SSL library to detect the endpoint’s certificates.
  2. openssl: Uses the OpenSSL client to detect the endpoint’s certificates. Use this mode if the python mode fails for some reason.

When reporting issues always run this script with debug-mode=true and include the debug-mode log file.

Script Data


Name Description
Script Type python3
Tags Utility

Inputs


Argument Name Description
endpoint The endpoint identifier IP address or URL:Port. If the port is not included, 443 will be used by default.
port The endpoint port. Default is 443.
mode Operation mode. Determines how the endpoint is inspected. Either using python built-in SSL or openssl client.

Outputs


Path Description Type
TroubleShoot.Engine.SSL/TLS.ShellVariables.SSL_CERT_FILE The SSL_CERT_FILE environment variable. For example, “/etc/custom-python-ssl/certs.pem” String
TroubleShoot.Engine.SSL/TLS.ShellVariables.CERT_FILE The CERT_FILE environment variable. For example, “/etc/custom-python-ssl/certs.pem”. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.OrganizationalUnitName The unit name of the organization that is the holder of the engine custom SSL certificate. For example, “Content”. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.OrganizationName The name of the organization that is the holder of the engine custom SSL certificate. For example, “Cortex XSOAR”. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.BusinessCategory The business category of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.Title The title of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.SerialNumber The serial number of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.StateOrProvinceName The state or province of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.DomainComponent The DNS domain name of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.GivenName The given name of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.Pseudonym The pseudonym of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.JurisdictionStateOrProvinceName The jurisdiction state or province of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.GenerationQualifier The generation qualifier of the holder of the engine custom SSL certificate. For example, 3rd generation. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.LocalityName The locality of the holder of the engine custom SSL certificate. For example, “Birmingham”. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.SurName The surname of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.CommonName The common name of the holder of the engine custom SSL certificate. For example, “Cortex XSOAR TLS”. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.JurisdictionLocalityName The jurisdiction locality of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.StreetAddress The street address of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.PostalCode The postal code of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.PostalAddress The postal address of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.JurisdictionCountryName The jurisdiction country name of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.CountryName The country of the holder of the engine custom SSL certificate. For example, “GB”. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.EmailAddress The email address of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.DomainNameQualifier The domain name qualifier of the holder of the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.OrganizationalUnitName The unit name of the organization of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.OrganizationName The name of the organization of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.BusinessCategory The business category of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.Title The title of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.SerialNumber The serial number of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.StateOrProvinceName The state or province of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.DomainComponent The DNS domain name of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.GivenName The given name of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.Pseudonym The pseudonym of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.JurisdictionStateOrProvinceName The jurisdiction state or province of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.GenerationQualifier The generation qualifier of the authority that issued the engine custom SSL certificate. For example, 3rd generation. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.LocalityName The locality of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.SurName The surname of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.CommonName The common name of the authority that issued the engine custom SSL certificate. For example, “Cortex XSOAR TLS”. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.JurisdictionLocalityName The jurisdiction locality of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.StreetAddress The street address of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.PostalCode The postal code of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.PostalAddress The postal address of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.JurisdictionCountryName The jurisdiction country name of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.CountryName The country of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.EmailAddress The email address of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.DomainNameQualifier The domain name qualifier of the authority that issued the engine custom SSL certificate. String
TroubleShoot.Engine.SSL/TLS.Certificates.Decode.Extentions.IssuerAlternativeName The alternate names of the issuer. String
TroubleShoot.Engine.SSL/TLS.Certificates.Decode.Extentions.SubjectAlternativeName The alternate names of the subject. String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidBefore The beginning of the validity period for the certificate in UTC format. Date
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidAfter The end of the validity period for the certificate in UTC format. Date
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Version The version of the certificate. Number
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Raw The raw engine custom SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.OrganizationalUnitName The unit name of the organization that is the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.OrganizationName The name of the organization that is the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.BusinessCategory The business category of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.Title The title of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.SerialNumber The serial number of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.StateOrProvinceName The state or province of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.DomainComponent The DNS domain name of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.GivenName The given name of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.Pseudonym The pseudonym of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.JurisdictionStateOrProvinceName The jurisdiction state or province of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.GenerationQualifier The generation qualifier of the holder of the endpoint SSL certificate. For example, 3rd generation. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.LocalityName The locality of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.SurName The surname of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.CommonName The common name of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.JurisdictionLocalityName The jurisdiction locality of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.StreetAddress The street address of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.PostalCode The postal code of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.PostalAddress The postal address of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.JurisdictionCountryName The jurisdiction country name of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.CountryName The country of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.EmailAddress The email address of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.DomainNameQualifier The domain name qualifier of the holder of the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.OrganizationalUnitName The unit name of the organization of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.OrganizationName The name of the organization of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.BusinessCategory The business category of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.Title The title of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.SerialNumber The serial number of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.StateOrProvinceName The state or province of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.DomainComponent The DNS domain name of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.GivenName The given name of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.Pseudonym The pseudonym of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.JurisdictionStateOrProvinceName The jurisdiction state or province of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.GenerationQualifier The generation qualifier of the authority that issued the endpoint SSL certificate. For example, 3rd generation. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.LocalityName The locality of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.SurName The surname of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.CommonName The common name of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.JurisdictionLocalityName The jurisdiction locality of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.StreetAddress The street address of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.PostalCode The postal code of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.PostalAddress The postal address of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.JurisdictionCountryName The jurisdiction country name of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.CountryName The country of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.EmailAddress The email address of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.DomainNameQualifier The domain name qualifier of the authority that issued the endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Extentions.IssuerAlternativeName The alternate names of the issuer. String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Extentions.SubjectAlternativeName The alternate names of the subject. String
TroubleShoot.Endpoint.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidBefore The beginning of the validity period for the certificate in UTC format. Date
TroubleShoot.Endpoint.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidAfter The end of the validity period for the certificate in UTC format. Date
TroubleShoot.Endpoint.SSL/TLS.CustomCertificateAuthorities.Decode.Version The version of the certificate. Number
TroubleShoot.Endpoint.SSL/TLS.Certificates.Raw The raw endpoint SSL certificate. String
TroubleShoot.Endpoint.SSL/TLS.Identifier The endpoint SSL identifier. String

Command Example

CertificatesTroubleshoot endpoint=google.com port=443

Context Example

{
    "TroubleShoot": {
        "Engine": {
            "SSL/TLS": {
                "ShellVariables": {
                    "SSL_CERT_FILE": "/etc/custom-python-ssl/certs.pem", 
                    "CERT_FILE": "/etc/custom-python-ssl/certs.pem"
                }, 
                "CustomCertificateAuthorities": [
                    {
                        "Decode": {
                            "Subject": {
                                "OrganizationalUnitName": [
                                    "Content"
                                ], 
                                "OrganizationName": [
                                    "Demisto"
                                ], 
                                "BusinessCategory": null, 
                                "Title": null, 
                                "SerialNumber": null, 
                                "StateOrProvinceName": [
                                    "Hamerkaz"
                                ], 
                                "DomainComponent": null, 
                                "GivenName": null, 
                                "Pseudonym": null, 
                                "JurisdictionStateOrProvinceName": null, 
                                "GenerationQualifier": null, 
                                "LocalityName": [
                                    "Tel Aviv"
                                ], 
                                "SurName": null, 
                                "CommonName": [
                                    "Demisto TLS"
                                ], 
                                "JurisdictionLocalityName": null, 
                                "StreetAddress": null, 
                                "PostalCode": null, 
                                "PostalAddress": null, 
                                "JurisdictionCountryName": null, 
                                "CountryName": [
                                    "IL"
                                ], 
                                "EmailAddress": [
                                    "test@gmail.com""
                                ], 
                                "DomainNameQualifier": null
                            }, 
                            "Issuer": {
                                "OrganizationalUnitName": [
                                    "Content"
                                ], 
                                "OrganizationName": [
                                    "Demisto"
                                ], 
                                "BusinessCategory": null, 
                                "Title": null, 
                                "SerialNumber": null, 
                                "StateOrProvinceName": [
                                    "Hamerkaz"
                                ], 
                                "DomainComponent": null, 
                                "GivenName": null, 
                                "Pseudonym": null, 
                                "JurisdictionStateOrProvinceName": null, 
                                "GenerationQualifier": null, 
                                "LocalityName": [
                                    "Tel Aviv"
                                ], 
                                "SurName": null, 
                                "CommonName": [
                                    "Demisto TLS"
                                ], 
                                "JurisdictionLocalityName": null, 
                                "StreetAddress": null, 
                                "PostalCode": null, 
                                "PostalAddress": null, 
                                "JurisdictionCountryName": null, 
                                "CountryName": [
                                    "IL"
                                ], 
                                "EmailAddress": [
                                    "test@gmail.com""
                                ], 
                                "DomainNameQualifier": null
                            }
                        }, 
                        "Raw": "-----BEGIN CERTIFICATE-----\nxxxxx\n-----END CERTIFICATE-----\n"
                    }
                ]
            }
        }, 
        "Endpoint": {
            "SSL/TLS": {
                "Certificates": [
                    {
                        "Decode": {
                            "Subject": {
                                "OrganizationalUnitName": [
                                    "Test"
                                ], 
                                "OrganizationName": [
                                    "Content"
                                ], 
                                "BusinessCategory": null, 
                                "Title": null, 
                                "SerialNumber": null, 
                                "StateOrProvinceName": [
                                    "Demisto"
                                ], 
                                "DomainComponent": null, 
                                "GivenName": null, 
                                "Pseudonym": null, 
                                "JurisdictionStateOrProvinceName": null, 
                                "GenerationQualifier": null, 
                                "LocalityName": null, 
                                "SurName": null, 
                                "CommonName": [
                                    "test.compute-1.amazonaws.com"
                                ], 
                                "JurisdictionLocalityName": null, 
                                "StreetAddress": null, 
                                "PostalCode": null, 
                                "PostalAddress": null, 
                                "JurisdictionCountryName": null, 
                                "CountryName": [
                                    "IL"
                                ], 
                                "EmailAddress": [
                                    "test@gmail.com""
                                ], 
                                "DomainNameQualifier": null
                            }, 
                            "Issuer": {
                                "OrganizationalUnitName": [
                                    "Content"
                                ], 
                                "OrganizationName": [
                                    "Demisto"
                                ], 
                                "BusinessCategory": null, 
                                "Title": null, 
                                "SerialNumber": null, 
                                "StateOrProvinceName": [
                                    "Hamerkaz"
                                ], 
                                "DomainComponent": null, 
                                "GivenName": null, 
                                "Pseudonym": null, 
                                "JurisdictionStateOrProvinceName": null, 
                                "GenerationQualifier": null, 
                                "LocalityName": [
                                    "Tel Aviv"
                                ], 
                                "SurName": null, 
                                "CommonName": [
                                    "Demisto TLS"
                                ], 
                                "JurisdictionLocalityName": null, 
                                "StreetAddress": null, 
                                "PostalCode": null, 
                                "PostalAddress": null, 
                                "JurisdictionCountryName": null, 
                                "CountryName": [
                                    "IL"
                                ], 
                                "EmailAddress": [
                                    "test@gmail.com"
                                ], 
                                "DomainNameQualifier": null
                            }
                        }, 
                        "Raw": "-----BEGIN CERTIFICATE-----\nxxxx\n-----END CERTIFICATE-----\n"
                    }
                ], 
                "Identifier": "test.compute-1.amazonaws.com",
                "NotValidBefore": "2020-09-22 11:37:45",
                "NotValidAfter": "2025-09-21 11:37:45",
                "Version": 0,
                "Extentions: {
                    "IssuerAlternativeName": [*.google.com, *.appengine.google.com],
                    "SubjectAlternativeName": [*.google.com, *.appengine.google.com]
                }
            }
        }
    }
}

Human Readable Output

Docker container engine - custom certificate

Enviorment variables

CERT_FILE SSL_CERT_FILE
/etc/custom-python-ssl/certs.pem /etc/custom-python-ssl/certs.pem

General

NotValidBefore NotValidAfter Version
2020-09-22 15:22:19 2020-12-15 15:22:19 2

Issuer

CommonName CountryName EmailAddress LocalityName OrganizationName OrganizationalUnitName StateOrProvinceName
Demisto TLS IL all@paloaltonetworks.com Tel Aviv Demisto Content Hamerkaz

Subject

CommonName CountryName EmailAddress LocalityName OrganizationName OrganizationalUnitName StateOrProvinceName
Demisto TLS IL all@paloaltonetworks.com Tel Aviv Demisto Content Hamerkaz

Endpoint certificate - ec2.eu.compute-1.amazonaws.com

General

NotValidBefore NotValidAfter Version
2020-09-22 15:22:19 2020-12-15 15:22:19 2

Issuer

CommonName CountryName EmailAddress LocalityName OrganizationName OrganizationalUnitName StateOrProvinceName
Demisto TLS IL all@paloaltonetworks.com Tel Aviv Demisto Content Hamerkaz

Subject

CommonName CountryName EmailAddress OrganizationName OrganizationalUnitName StateOrProvinceName
ec2.eu.compute-1.amazonaws.com IL test@gmail.com Content Test Demisto

Extentions

IssuerAlternativeName
.google.com,.android.com,.appengine.google.com,.bdn.dev,*.cloud.google.com