Certificate Operations

# Pull full certificate chain from ISE
openssl s_client -connect ise-02.inside.domusdigitalis.dev:443 -showcerts </dev/null

# Save chain to PEM file
openssl s_client -connect ise-02.inside.domusdigitalis.dev:443 -showcerts </dev/null \
  | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' > ise-chain.pem

# Split chain into individual certificates
csplit -f ise-cert- ise-chain.pem '/BEGIN CERTIFICATE/' '{*}'

# Pull certificate chain from ISE
openssl s_client -connect ise-02.inside.domusdigitalis.dev:443 -showcerts

# Save chain to file
openssl s_client -connect ise-02.inside.domusdigitalis.dev:443 -showcerts |
  Out-File ise-chain.pem

# Verify ISE leaf certificate against system trust store
openssl verify -CApath /etc/ssl/certs ise-cert-01

# Verify with explicit CA chain
openssl verify -CAfile ise-chain.pem ise-cert-01

# Full certificate information
openssl x509 -in /etc/ssl/certs/machine.crt -text -noout

# Key fields only
openssl x509 -in /etc/ssl/certs/machine.crt -noout \
  -subject -issuer -dates -serial -fingerprint

# Verify Client Authentication EKU present
openssl x509 -in /etc/ssl/certs/machine.crt -noout -purpose | grep "SSL client"
# Should show: SSL client : Yes

# Full EKU extension
openssl x509 -in /etc/ssl/certs/machine.crt -text -noout | grep -A1 "Extended Key Usage"
# Should show: TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

# Extract SANs
openssl x509 -in /etc/ssl/certs/machine.crt -text -noout | grep -A1 "Subject Alternative Name"

# Check validity dates
openssl x509 -in /etc/ssl/certs/machine.crt -noout -dates

# Check if certificate is currently valid
openssl x509 -in /etc/ssl/certs/machine.crt -checkend 0
# Returns 0 if valid, 1 if expired

# Check if expires in next 30 days
openssl x509 -in /etc/ssl/certs/machine.crt -checkend 2592000
# Returns 1 if expires within 30 days

# List machine certificates with private keys
Get-ChildItem Cert:\LocalMachine\My |
  Where-Object { $_.HasPrivateKey } |
  Select-Object Subject, Thumbprint, NotAfter

# List certificates with Client Authentication EKU
Get-ChildItem Cert:\LocalMachine\My |
  Where-Object {
    $_.HasPrivateKey -and
    $_.EnhancedKeyUsageList.FriendlyName -contains "Client Authentication"
  } |
  Format-List Subject, Issuer, Thumbprint, NotBefore, NotAfter

# Validate Root CA in Trusted Root store
Get-ChildItem Cert:\LocalMachine\Root |
  Where-Object { $_.Subject -match "HOME-ROOT-CA" } |
  Select Subject, Thumbprint, NotAfter

# Validate Intermediate CA
Get-ChildItem Cert:\LocalMachine\CA |
  Where-Object { $_.Subject -match "Issuing" } |
  Select Subject, Thumbprint, NotAfter

Get-ChildItem Cert:\LocalMachine\My |
  Where-Object { $_.NotAfter -lt (Get-Date).AddDays(60) } |
  Select-Object Subject, Thumbprint, NotAfter

# Verify machine cert against CA chain
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem /etc/ssl/certs/machine.crt

# Verify with intermediate CA
openssl verify -CAfile /etc/ssl/certs/ca-chain.pem /etc/ssl/certs/machine.crt

# Combine intermediate and root into chain file
cat intermediate-ca.crt root-ca.crt > /etc/ssl/certs/ca-chain.pem

# Verify chain is complete
openssl verify -CAfile /etc/ssl/certs/ca-chain.pem /etc/ssl/certs/machine.crt

# Compare modulus hashes (must match)
CERT_MOD=$(openssl x509 -in /etc/ssl/certs/machine.crt -noout -modulus | md5sum | cut -d' ' -f1)
KEY_MOD=$(openssl rsa -in /etc/ssl/private/machine.key -noout -modulus | md5sum | cut -d' ' -f1)

if [ "$CERT_MOD" = "$KEY_MOD" ]; then
    echo "Key matches certificate"
else
    echo "ERROR: Key does NOT match certificate!"
fi

# Key type and size
openssl rsa -in /etc/ssl/private/machine.key -text -noout | head -1
# Should show: RSA Private-Key: (2048 bit) or similar

# Check if key is encrypted
openssl rsa -in /etc/ssl/private/machine.key -check -noout
# If encrypted, will prompt for passphrase

# Remove passphrase (required for wpa_supplicant)
openssl rsa -in /etc/ssl/private/machine.key -out /etc/ssl/private/machine-nopass.key

# Set correct permissions
sudo chmod 600 /etc/ssl/private/machine-nopass.key
sudo chown root:root /etc/ssl/private/machine-nopass.key

# Extract certificate (no private key)
openssl pkcs12 -in machine.pfx -out /etc/ssl/certs/machine.crt -clcerts -nokeys

# Extract private key (unencrypted)
openssl pkcs12 -in machine.pfx -out /etc/ssl/private/machine.key -nocerts -nodes

# Extract CA certificates
openssl pkcs12 -in machine.pfx -out /etc/ssl/certs/ca-chain.crt -cacerts -nokeys

# Combine cert and key into PFX
openssl pkcs12 -export \
  -in /etc/ssl/certs/machine.crt \
  -inkey /etc/ssl/private/machine.key \
  -certfile /etc/ssl/certs/ca-chain.crt \
  -out machine.pfx

# Convert DER to PEM
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

# Convert PEM to DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

# Remove from system trust store
sudo rm /usr/local/share/ca-certificates/old-ca.crt
sudo update-ca-certificates --fresh

# Remove machine certificate
sudo rm {cert-dir}/machine.crt
sudo rm {key-dir}/machine.key

# Remove from Personal store (by thumbprint)
Remove-Item Cert:\LocalMachine\My\<THUMBPRINT>

# Remove from Trusted Root store
Remove-Item Cert:\LocalMachine\Root\<THUMBPRINT>

# Remove from Intermediate CA store
Remove-Item Cert:\LocalMachine\CA\<THUMBPRINT>

#!/bin/bash
# check-cert-expiry.sh - Monitor certificate expiration

CERT="/etc/ssl/certs/machine.crt"
WARN_DAYS=30

EXPIRY=$(openssl x509 -in "$CERT" -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))

echo "Certificate: $CERT"
echo "Expires: $EXPIRY"
echo "Days remaining: $DAYS_LEFT"

if [ $DAYS_LEFT -lt $WARN_DAYS ]; then
    echo "WARNING: Certificate expires in less than $WARN_DAYS days!"
    exit 1
fi

# Add to crontab - check weekly
0 8 * * 1 /usr/local/bin/check-cert-expiry.sh || echo "Certificate expiring soon!" | mail -s "Cert Alert" admin@example.com