Socket
Socket
Sign inDemoInstall

github.com/samuelb/ssl-pubkey-fingerprint-exporter

Package Overview
Dependencies
5
Maintainers
0
Alerts
File Explorer

Install Socket

Protect your apps from supply chain attacks

Install

github.com/samuelb/ssl-pubkey-fingerprint-exporter

    v0.3.0

Version published
Maintainers
0

Readme

# SSL public key fingerprint exporter

This Prometheus exporter allows you to monitor the public key fingerprints of
your SSL certificates.

## Building
```
make
```
The created binaries will and up in the folder `dist/`.

## Docker
```
docker pull basa/ssl-pubkey-fingerprint-exporter
docker run -p 3000:3000 basa/ssl-pubkey-fingerprint-exporter
```

## Metrics
```
# HELP ssl_pubkey_fingerprint SSL certificate publickey SHA-256 fingerprint
# TYPE ssl_pubkey_fingerprint gauge
ssl_pubkey_fingerprint{fingerprint="base64encodedsha256sumofbinarypublickey=",target="example.com:443"} 1
```

## Prometheus

### Scrape configuration
```yaml
scrape_configs:
  - job_name: "ssl-pubkey-fingerprint-exporter"
    metrics_path: /probe
    static_configs:
      - targets:
          - example.com:443
          - https://example.org
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: ssl-pubkey-fingerprint-exporter:3000
```

### Example PromQL query
```
absent(ssl_pubkey_fingerprint{fingerprint="base64encodedsha256sumofbinarypublickey",target="example.com:443"})
```

## Getting the SHA-256 fingerprint

Extract public key sha265 fingerprint from PEM-encoded certificate file
```sh
openssl x509 -pubkey -noout -in certificate.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```

Extract public key sha265 fingerprint from keyfile
```sh
openssl rsa -in certificate.key -pubout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```

Extract public key sha265 fingerprint from HTTP server
```sh
servername=example.com; echo Q | openssl s_client -connect $servername:443 -servername $servername | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```

FAQs

Last updated on 03 Oct 2022

Did you know?

Socket installs a GitHub app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc