KeyChest Blog

Quick Inspection of Web Endpoints (incl.SSL Expiry Check)

Feb 5, 2020 11:20:25 AM / by Dan

KeyChest is about keeping your business up and running by preventing the expiry of important web services - this is our goal. While it may be prudent to reach A+ rating in specialised audit tools (like SSL Labs), it will not prevent your business downtime 3 months later when your super secure ordering service expires.

 

KeyChest gives you all the information you need to keep your online business in good shape. It allows you to plan certificate renewals and tells you when something is going to break and needs a closer look. This protects you from downtimes as you can plan certificate renewals with enough to resolve any potential problems. Instant audits of KeyChest also help you to set up your servers so that your users, customers, and clients can use them 24x7. We detect issues that may cause random unexpected problems to access your web services and we also provide a baseline security information.

In this short post, I want to focus on these instant audits. KeyChest now offers two main types of instant audits - domain and endpoint. While pcviewx sounds too technical as a name, this KeyChest SSL audit certainly gives you an extended - view of your servers, maybe kcviewx could work.

This quick and easy to use tool integrates several vital audits: ssl expiry check - not only at present but it will also show any gaps in renewals over the last 2 years - you can also add the given certificate to our continuous SSL expiry monitoring. SSL configuration audit - correct SSL bundle configuration, SSL server configuration, latency. A baseline security audit: that shows all algorithms supported by the given server.

Endpoint Audit - Step 1

The first step is simply to select the "Instant Audit" item in the menu - or click here to go there directly (it requires a registration, which is FREE and only asks for an email, and name - you can use one of support social networks login).

All you now have to do is type in a domain name you want to audit - let's say we want to have a look at teams.microsoft.com. Once you click the button it only takes a few seconds to get a summary of the server. It looks like this.

Instant audit of an endpoint

Figure: Instant audit of an endpoint

This server has a very good configuration so you can't see any error or warning message at the top of the results. The audit will only show what you need to see once it checked:

  • DNS configuration - resolving IP addresses from your server name;
  • Server configuration - warning if there is no server at all listening at the given server and port;
  • SSL configuration - if your server uses insecure version SSL2 or SSL3, TLS1.0, TLS1.1, it will be displayed (see errors below);
  • certificate expiration - how many days till the certificate expires;
  • downtime - downtime during the last 2 years; CT logs data amended with server checks if this data if available;
  • trust chain - whether the server provides a complete chain of certificates needed  for validation;
  • certificate issuer - it shows the name of the certificate issuer (if set);
  • list of neighbours - the list of all names in the certificate;
  • hostname match - whether the name(s) in the certificate contain the server's name;
  • HSTS - if the HSTS (HTTP Strict Server Security) is enabled;
  • HTTP redirection - an active redirection, which sends web browsers to another server;
  • IP addresses - a list of all IP addresses available in the KeyChest's geographic region.

I want to mention that at the top of the results, you can see a list of alternative addresses - if there are any. There is one additional IP address for the domain name in the picture above. If you want to audit that, simply click on it and you will get a new set of results.

We have recently expanded the audit information with certificate details, and security-related results. You can now see all the algorithms supported by the server and their strength - we use 4 categories: STRONG, OK, WEAK, BAD. If you can see "BAD" you should certainly review the configuration of the server. The "WEAK" algorithms use SHA-1, which should be replaced with a secure version of SHA-2.

  • STRONG - TLSv1.3 algorithms;
  • OK - strong algorithms of TLSv1.2 with forward secrecy;
  • WEAK - older algorithms using week ciphers - they are still secure for the purpose of HTTPS but you may want to consider their removal; and
  • BAD - algorithms that can be successfully attacked.

Step 2 - Check The Certificate

The second step is optional and it requires you to click on the magnifying glass in the results - if present.

Certificate detail of your endpoint

Figure: Certificate detail of your endpoint

The report here can get rather long - especially for users on the SCALE and higher price plan, where it will show the whole history of certificates for a given domain name. The picture above shows the main information from the certificate and also the status of its renewal - in this case, it only shows that everything is good for another 2 years.

However, you can see all the IP addresses where we have detected the certificate, the type of the certificate, and other domain names for which it is valid.

So here we go - a pcviewx, or kcviewx, or simply a KeyChest audit in a few button clicks. Oh, I forgot - we store the results so you can open your history tab and share your previous audit results with your colleagues.

KEYCHEST - web expiry management. Website certificate expiration is easily forgotten—causing costly downtime. Our expert service automatically checks and renews your certificates, on time, and correctly, so you can start every day with confidence.

 

Tags: certificate, https, keychest

Dan

Written by Dan