vessl is a bash script that can fetch and verify the SSL certificate of a remote server.
It was originally written in order to script up the ability to verify SSL certificates across a large network.
- vessl will connect to any service that OpenSSL can
- It will extract and verify against a given CA Pem file
- It will check that certificate matches the host it is on
- It produce a map going from IPs to hostname
- Checks to see if certificate is based on a blacklisted Debian key
- CA Pem File
vessl -h host [-p port] [-c certfile] [-v]
By default the output will be 3 files:
The first is the verification data, the second is the certificate and the third maps IP to SSL Hostname, e.g.
126.96.36.199:443, labs.portcullis.co.uk (188.8.131.52)
Generating a CA PEM file
emerge ca-certificates mkdir /etc/certs cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem
apt-get install ca-certificates mkdir /etc/certs cat /usr/share/ca-certificates/mozilla/* > /etc/certs/mozilla.pem