dane_verify_session_crt - Linux

Overview

dane_verify_session_crt is a command-line tool designed to verify the Certificate Transparency (CT) logs associated with a TLS server certificate. It checks whether the certificate’s inclusion in CT logs aligns with the Signed Certificate Timestamp (SCT) requirements specified in the DANE TLSA record for the domain. This tool is valuable for ensuring the authenticity and integrity of TLS certificates in secure communication scenarios.

Syntax

dane_verify_session_crt [options] <certificate_file>

Options/Flags

  • -h, --help: Display usage help and exit.
  • -v, --verbose: Enable verbose mode for detailed output.
  • -d, --domain: Override the domain derived from the certificate’s Subject Alternative Names (SANs).
  • -p, --port: Specify the port from which the certificate was retrieved.
  • -r, --root-store: Path to the trusted root store (in PEM format) for certificate verification.
  • -t, --timeout: Set a timeout (in seconds) for TLS handshakes and certificate retrievals.
  • -l, --logs: Provide a custom list of CT logs to verify against (in comma-separated format).
  • -s, --logserver: Specify a custom log server for CT log lookup (e.g., ct.googleapis.com).

Examples

Verify a CT-Compliant TLS Certificate:

dane_verify_session_crt www.example.com.crt

Specify a Custom Log List and Log Server:

dane_verify_session_crt -l google.com,digicert.com -s log.example.org example.com.crt

Override the Derived Domain and Specify Port:

dane_verify_session_crt -d subdomain.example.com -p 443 subdomain.example.com.crt

Common Issues

  • No DANE TLSA record found: Ensure the domain has a TLSA record configured correctly.
  • No CT logs specified in TLSA record: Contact the domain administrator to add CT logs to the TLSA record.
  • Certificate not included in CT logs: Check the certificate’s issuance date and ensure it falls within the maximum log verification window.

Integration

Combining with DNS Lookup: Use dig to retrieve the DANE TLSA record and pipe its output to dane_verify_session_crt for verification.
Automating TLS Certificate Verification: Create scripts that regularly verify TLS certificates using dane_verify_session_crt and alert if any issues are detected.

Related Commands

  • dig: Retrieve DNS records, including DANE TLSA records.
  • openssl: Manage and verify TLS certificates.
  • dane-tls: Comprehensive toolset for DANE and CT verification.