Skip to main content
banner image
venafi logo
Education Center Detail

How To Check SSL Certificate [SSL Validation]

How To Check SSL Certificates [SSL Validation]

Digital certificates are electronic credentials that are used to certify the identities of individuals, computers, and other entities on a network. Private and public networks are being used with increasing frequency to communicate sensitive data and complete critical transactions. This has created a need for greater confidence in the identity of the person, computer, or service on the other end of the communication. Digital certificates and public key encryption identify machines and provide an enhanced level of authentication and privacy to digital communications.

All digital certificates have a finite lifespan and are no longer recognized as valid upon expiration. Certificates may have varying periods of validity and are often set to expire anywhere between one and three years based on company policy and/or cost considerations. Minimally, certificates need to be replaced at the end of their life to avoid service disruption and decreased security. However, there may be a number of scenarios where a certificate needs to be replaced earlier (e.g., Heartbleed bug, SHA-1 end-of-life migration, company mergers, change in company policy).

Consequently, managing SSL/TLS certificates across complex networks to ensure protection and prevent unanticipated failures is a requirement for all businesses. Employing a lifecycle management system ensures a consistent approach and allows for the use of automation, which increases the efficiency and effectiveness of certificate management. It is very important to highlight the importance of having valid certificates. Expired certificates can and will cause website outages and downtime which in turn will create serious reputational damage. It is therefore highly advisable to renew in a timely manner the certificates close to expiring. Do not wait until the very last moment to do so.

How do I find my SSL certificate?

There are two methods to locate the installed SSL certificates on a website owned by the reader of this post. Before we go into specifics, we must remember that in Windows Server environment, the installed certificates are stored in Certificate Stores, which are containers that hold one or more certificates. These containers are

  • Personal, which holds certificates associated with private keys to which the user has access.
  • Trusted Root Certification Authorities, which includes all of the certificates in the Third-Party Root Certification Authorities store, plus root certificates from customer organizations and Microsoft
  • Intermediate Certification Authorities, which includes certificates issued to subordinate CAs.

In order to examine the stores on your local device to find an appropriate certificate you should follow the procedure below.

  1. First of all, you will have to use the Microsoft Management Console (MMC). To do that, open the Command Prompt, type mmc and press Enter.
  2. Click the File menu and then select Add/Remove Snap-in.
  1. From the Available snap-ins list, choose Certificates, then select Add.
  1. In the next dialog box, select Computer account and click Next.
  1. Select Local computer and click Finish.
  1. Now you are back at the “Add or Remove Snap-ins” window, just click OK.
  1. To view your certificates in the MMC snap-in, select a certificates store on the left pane. The available certificates are displayed on the middle pane.
  1. If you double click on a certificate, the Certificate window appears which displays the various attributes of the selected certificate.

Another method to view the installed certificates is to launch the Windows Certificate Manager Tool.

To view certificates for the local device, open the command console and then type certlm.msc. The Certificate Manager tool for the local device appears. To view your certificates, under Certificates - Local Computer in the left pane, expand the directory for the type of certificate you want to view.

To view certificates for the current user, open the command console, and then type certmgr.msc. The Certificate Manager tool for the current user appears. To view your certificates, under Certificates - Current User in the left pane, expand the directory for the type of certificate you want to view.

Apart from checking your own certificates, it is equally important to be able to determine if a site you are visiting uses SSL certificates. We will use as an example Venafi’s site and Firefox browser.

The first sign you should look for is the “https” in the URL of the site you are visiting. The “s” declares that this site is using an SSL Certificate. Then if you are using Firefox, clicking the padlock in the address bar brings up a preliminary dropdown that indicates a secure connection when properly configured SSL is in place. Click the arrow to the right of the dropdown to view more information about the certificate.

In the case of Extended Validation (EV) Certificates, you can see some identifying information about the organization operating the site. For non-EV Certificates, like Domain Validated and Organization Validated, you will only see which Certificate Authority (CA) issued the certificate, the “Verified by:” section at the bottom of the pop-up. Click the "More Information" link to view more details.

EV Certificate in Firefox

Non EV certificate in Firefox

This brings you to the security details of the page, where you’ll find more information about the website identity (for EV Certificates, the company name will be listed as the owner) and the protocols, ciphers and keys underlying the encryption.

If you want even more details about the certificate, just click “View Certificate”. On the “Details” tab, you’ll find the certificate hierarchy and can dig through the certificate fields.

How do I check if my SSL certificate is valid?

Once you have located the SSL certificates housed on your web server, there are two ways to check their validity.

The first option is to run the certlm.msc command, open the Certificates - Local Computer window and then go through the list of the certificates listed in the store to make sure only the legitimated ones are installed. It is a time-consuming job but doable.

The second option is to use the Windows Sysinternals utility called sigcheck that makes the Root Certificates checkup a very easy process. Download or update the tool from Microsoft and run it with the following switches: sigcheck -tv. The utility downloads the trusted Microsoft root certificate list and outputs only valid certificates not rooted to a certificate on that list.

Checking certificate validity and managing can be a very difficult and error prone process. There are many critical tasks that come with enterprise SSL certificate management, and ignoring or mishandling any one of them can set the stage for a Web application exploit.

Unfortunately, many companies manage a variety of digital certificates manually with spreadsheets. This can lead to mistakes, such as lost, mismatched or mislabeled certificates. Certificates can inadvertently expire, meaning CAs no longer consider a website or web application secure and trusted. This can be a very expensive mistake if an affected Web application is public-facing. It may lead to reputational damage for the organization, or visitors' browsers may block access to the site entirely. It's been the cause of many high-profile system outages and is often one of the last causes administrators investigate, contributing to significantly more downtime.

Another problem occurs if the CA that issued the organization's certificate is compromised. The certificates are then revoked by other CAs, so when a client connects to the affected server, the certificate is no longer valid. Without proper SSL certificate management on an enterprise-wide level, it's impossible to tell how many (if any) of your certificates are no longer valid.

To avoid these certificate management errors and to correct any mistakes that previously occurred while managing certificates, the most effective solution is to use automation. Automated tools can search a network and record all discovered certificates. Such tools can usually assign certificates to business owners and can manage automated renewal of certificates. The software can also check that the certificate was deployed correctly to avoid mistakenly using an old certificate.

It is very important to highlight the importance of having valid certificates. Expired certificates can and will cause website outages and downtime which in turn will create serious reputational damage. It is therefore highly advisable to renew in a timely manner the certificates close to expiring. Do not wait until the very last moment to do so.

How do I remove expired digital certificates?

Once you have found all your certificates on your system, you might have discovered that some have already expired (hopefully not!). To remove expired certificates, either self-signed or provided by a CA, there are two methods.

First method: Right-click on the expired certificate and select Delete. You will have to repeat this step for all expired certificates. Once you are done, you will have to restart the server.

Second method: Right-click on the expired certificate and choose Properties. On the Properties window, select “Disable all purposes for this certificate” and then click Apply. Once you are done with all your expired certificates, you will have to restart the server.

How to renew SSL certificate

Now that you got rid of the expired certificates, you will have to renew them. There are two different procedures to follow which depend whether you are renewing self-signed certificates or certificates from CAs.

How to create new self-signed certificate

Although self-signed certificates should not be used on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc., it can be appropriate in certain situations, such as on an intranet, on an IIS development server or on personal sites with few visitors.

  1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

  1. In the Actions column on the right, click on Create Self-Signed Certificate…
  1. Enter any friendly name and then click OK.
  1. You have just created a self-signed certificate, valid for 1 year, listed under Server Certificates. The certificate common name is by default the server name. Now we just need to bind the self-signed certificate to the site.
  1. In order to bind this new certificate to a site, in the Connections column on the left, expand the sites folder and click on the website that you want to bind the certificate to. Click on Bindings... in the right column.
  1. On the Site Bindings window, click on the Add... button.
  1. Change the Type to https and then select the SSL certificate that you just installed. Click OK.
  1. You will now see the binding for port 443 listed. Click Close.
  1. The last step you would like to take is to add your self-signed certificate in the Trusted Root Certificate Authorities. To do that, open the Microsoft Management Console (MMC), and create a Certificate snap-in for the Local Computer account (see steps on the How to find my SSL Certificate section above).
  2. Expand the Certificates item on the left and expand the Personal folder. Click on the Certificates folder and right-click on the self-signed certificate that you just created and select Copy.
  1. Expand the Trusted Root Certification Authorities folder and click the Certificates folder underneath it. Right-click in the white area below the certificates and click Paste.

How to renew certificates from CAs

If you want to renew the root certificates from your CAs, you will have to perform the following steps:

  1. From the Microsoft Management Console (MMC) of your server, start the Certification Authority snap-in. Right click the name of the Certificate Authority and from the actions menu select All Tasks > Renew CA Certificate.
  1. The Install CA Certificate warning pops up which informs us that Active Directory Certificate Services have to be stopped. Select Yes.
  1. On the Renew CA Certificate window you can choose to use either the existing CA key pair or generate a new key pair for certificate renewal. If you want to generate a new public and private key pair for the CA's certificate, you will select Yes. The default option is to reuse the current public and private key pair. It is advisable to select No.
  1. When you choose to generate a new key pair, Windows creates a new one at the time it generates the new CA certificate, which ensures that the key used to sign the certificates issued by the CA matches the key that the CA uses to sign the Certificate Revocation Lists (CRLs). As such, renewing a CA's certificate with a new key pair also offers a workaround to deal with CRLs that have become too big. The new CRL holds only the serial numbers of the certificates that were revoked since the start date of the new CA certificate.
  2. Either way, the certificate is now renewed.
How Do I Enable TLS

SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines and applications operating over a network (e.g. a client connecting to a web server). SSL is the predecessor to TLS. Over the years, new versions of the protocols have been released to address vulnerabilities and support stronger, more secure cipher suites and algorithms.

Both SSL 2.0 and 3.0 have been deprecated by the IETF (in 2011 and 2015, respectively). Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL protocols, like POODLE. TLS uses stronger encryption algorithms and has the ability to work on different ports. Additionally, TLS version 1.0 does not interoperate with SSL version 3.0. Most modern browsers will show a degraded user experience when they encounter a web server using the old protocols. For these reasons, you should disable SSL 2.0 and 3.0 in your server configuration, leaving only TLS protocols enabled.

Last but not least, it is important to note that certificates are not dependent on protocols. Hence, you don’t have to replace SSL certificates with TLS certificates and you can use the instructions above to locate either SSL or TLS certificates. Don’t forget that most vendors refer to them as SSL/TLS Certificates.

In addition to disabling SSL 2.0 and SSL 3.0, it is also advisable to disable also TLS 1.0 , since all web browsers will not support TLS 1.0 and TLS 1.1 after the activation of TLS 3.0 protocol. The procedure for disabling these protocols is described below.

How Do I Disable SSL 2.0, SSL 3.0 and TLS 1.0?

In order to disable these protocols, the procedure is identical. We will demonstrate how to disable SSL 3.0 and at the end we will provide the key combinations for disabling all three protocols.

  1. On the Windows server, open the Registry Editor (regedit.exe) and run it as administrator.
  2. In the Registry Editor window, go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

Note: If the key SSL 3.0 is already existing, skip steps 3 and 4.

  1. In the navigation tree, right-click on Protocols, and in the pop-up menu, click New > Key.
  1. Name the key, SSL 3.0.
  2. In the navigation tree, right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key. Name the key Client.
  3. Right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value.
  1. Name the value DisabledByDefault. Double-click the DisabledByDefault DWORD value and in the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then click OK.
  1. In the navigation tree, right-click on the SSL 3.0 key again, and in the pop-up menu, click New > Key. Name the key Server.
  2. Right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value.
  3. Name the value Enabled. Double-click the Enabled DWORD value and in the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK.
  1. Restart your Windows server.

Below are the key combinations for disabling the SSL 2.0, SSL 3.0 and TLS 1.0 protocols on Windows 10 or Windows 2012 server.
For SSL 2.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
 

>For SSL 3.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

For TLS 1.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000

Note: Client portion contains subkey called "DisabledByDefault" whereas the Server portion contains subkey called "Enabled"

How Do I Enable TLS 1.2 on Windows 10?

Following above instructions, create the necessary key for TLS 1.2, create the DisabledByDefault DWORD values and set it to 0 in the following Registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DWORD name: DisabledByDefault
DWORD value: 0

The Benefits of Certificate Automation

SSL security is a critical component to an enterprise’s overall security strategy. With the increasing number of Internet-connected devices, online portals, and services that organizations manage, there are more opportunities for vulnerabilities and a growing number of threats that these systems face.

Organizations today require the use of SSL certificates to ensure secure data transmission for sites and internal networks. Hence, system administrators are responsible for numerous certificates that come with unique expiration dates. Therefore, keeping track of each and every certificate has become burdensome and unmanageable. For administrators has become essential and mission critical to have a single, centralized platform to handle the installation, deployment, monitoring, and total management of all SSL Certificates within their network regardless of issuing Certificate Authority (CA). Organizations without proper certificate lifecycle management can face security and management gaps.

>In order for a certificate life cycle management to be effective all certificates need to be consolidated into a single management system such as the Venafi Trust Platform. With this solution in place, administrators may perform continuous monitoring of systems and certificates, and generate an audit for governance and compliance purposes. What is more, this approach reduces the overall cost and complexity of managing SSL certificates across a distributed environment.

If you feel dizzy after following above procedures and you want to reap the security benefits of certificate lifecycle management automation, contact Venafi for a tailor made solution.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat