Phase 0: Recon

netapi ise get-nodes --certs

openssl s_client -connect {ise-pan-fqdn}:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates -serial -fingerprint -sha256

openssl s_client -connect {ise-pan-fqdn}:1812 -starttls radius </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates

openssl s_client -connect {ise-pan-fqdn}:8443 </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates

openssl s_client -connect {ise-pan-fqdn}:8910 </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates

for host in {ise-pan-fqdn} {ise-psn1-fqdn} {ise-psn2-fqdn}; do
  for port in 443 8443 1812 8910; do
    expiry=$(openssl s_client -connect "$host:$port" </dev/null 2>/dev/null \
      | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
    if [[ -n "$expiry" ]]; then
      days=$(( ($(date -d "$expiry" +%s) - $(date +%s)) / 86400 ))
      printf "%-45s port:%-5s %s days (%s)\n" "$host" "$port" "$days" "$expiry"
    else
      printf "%-45s port:%-5s CONNECT FAILED\n" "$host" "$port"
    fi
  done
done

# Subject CN — should be a specific FQDN like access2.ise.chla.org
openssl s_client -connect {ise-pan-fqdn}:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -subject

# SAN — should contain *.ise.chla.org
openssl s_client -connect {ise-pan-fqdn}:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -ext subjectAltName

openssl s_client -connect {ise-pan-fqdn}:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -text \
  | grep -A1 'Subject:\|Issuer:\|Not Before\|Not After\|Subject Alternative\|Key Usage\|Serial'

openssl s_client -connect {ise-pan-fqdn}:443 -showcerts </dev/null 2>/dev/null \
  | awk '/BEGIN/,/END/{if(/BEGIN/)n++; print > "/tmp/ise-chain-cert-"n".pem"}'

for f in /tmp/ise-chain-cert-*.pem; do
  echo "=== $f ==="
  openssl x509 -in "$f" -noout -subject -issuer -dates
  echo
done