Skip to main content

CertificatesTroubleshoot

This automation exports all custom certificate-related information from the Python Docker container and decode it using RFC. In addition, it will get the certificate located in the specified endpoint.

Notes#


After following the tutorial to update your custom certificate in Cortex XSOAR Server/ Cortex XSOAR Engine, validate the configuration applied using this script.

The script supports two modes of operation:

  1. python: Uses the Python built-in SSL library to detect the endpoint's certificates.
  2. openssl: Uses the OpenSSL client to detect the endpoint's certificates. Use this mode if the python mode fails for some reason.

When reporting issues always run this script with debug-mode=true and include the debug-mode log file.

Script Data#


NameDescription
Script Typepython3
TagsUtility

Inputs#


Argument NameDescription
endpointThe endpoint identifier IP address or URL:Port. If the port is not included, 443 will be used by default.
portThe endpoint port. Default is 443.
modeOperation mode. Determines how the endpoint is inspected. Either using python built-in SSL or openssl client.

Outputs#


PathDescriptionType
TroubleShoot.Engine.SSL/TLS.ShellVariables.SSL_CERT_FILEThe SSL_CERT_FILE environment variable. For example, "/etc/custom-python-ssl/certs.pem"String
TroubleShoot.Engine.SSL/TLS.ShellVariables.CERT_FILEThe CERT_FILE environment variable. For example, "/etc/custom-python-ssl/certs.pem".String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.OrganizationalUnitNameThe unit name of the organization that is the holder of the engine custom SSL certificate. For example, "Content".String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.OrganizationNameThe name of the organization that is the holder of the engine custom SSL certificate. For example, "Cortex XSOAR".String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.BusinessCategoryThe business category of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.TitleThe title of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.SerialNumberThe serial number of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.StateOrProvinceNameThe state or province of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.DomainComponentThe DNS domain name of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.GivenNameThe given name of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.PseudonymThe pseudonym of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.JurisdictionStateOrProvinceNameThe jurisdiction state or province of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.GenerationQualifierThe generation qualifier of the holder of the engine custom SSL certificate. For example, 3rd generation.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.LocalityNameThe locality of the holder of the engine custom SSL certificate. For example, "Birmingham".String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.SurNameThe surname of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.CommonNameThe common name of the holder of the engine custom SSL certificate. For example, "Cortex XSOAR TLS".String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.JurisdictionLocalityNameThe jurisdiction locality of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.StreetAddressThe street address of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.PostalCodeThe postal code of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.PostalAddressThe postal address of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.JurisdictionCountryNameThe jurisdiction country name of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.CountryNameThe country of the holder of the engine custom SSL certificate. For example, "GB".String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.EmailAddressThe email address of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Subject.DomainNameQualifierThe domain name qualifier of the holder of the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.OrganizationalUnitNameThe unit name of the organization of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.OrganizationNameThe name of the organization of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.BusinessCategoryThe business category of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.TitleThe title of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.SerialNumberThe serial number of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.StateOrProvinceNameThe state or province of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.DomainComponentThe DNS domain name of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.GivenNameThe given name of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.PseudonymThe pseudonym of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.JurisdictionStateOrProvinceNameThe jurisdiction state or province of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.GenerationQualifierThe generation qualifier of the authority that issued the engine custom SSL certificate. For example, 3rd generation.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.LocalityNameThe locality of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.SurNameThe surname of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.CommonNameThe common name of the authority that issued the engine custom SSL certificate. For example, "Cortex XSOAR TLS".String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.JurisdictionLocalityNameThe jurisdiction locality of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.StreetAddressThe street address of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.PostalCodeThe postal code of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.PostalAddressThe postal address of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.JurisdictionCountryNameThe jurisdiction country name of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.CountryNameThe country of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.EmailAddressThe email address of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.Issuer.DomainNameQualifierThe domain name qualifier of the authority that issued the engine custom SSL certificate.String
TroubleShoot.Engine.SSL/TLS.Certificates.Decode.Extentions.IssuerAlternativeNameThe alternate names of the issuer.String
TroubleShoot.Engine.SSL/TLS.Certificates.Decode.Extentions.SubjectAlternativeNameThe alternate names of the subject.String
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidBeforeThe beginning of the validity period for the certificate in UTC format.Date
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidAfterThe end of the validity period for the certificate in UTC format.Date
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.Decode.VersionThe version of the certificate.Number
TroubleShoot.Engine.SSL/TLS.CustomCertificateAuthorities.RawThe raw engine custom SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.OrganizationalUnitNameThe unit name of the organization that is the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.OrganizationNameThe name of the organization that is the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.BusinessCategoryThe business category of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.TitleThe title of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.SerialNumberThe serial number of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.StateOrProvinceNameThe state or province of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.DomainComponentThe DNS domain name of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.GivenNameThe given name of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.PseudonymThe pseudonym of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.JurisdictionStateOrProvinceNameThe jurisdiction state or province of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.GenerationQualifierThe generation qualifier of the holder of the endpoint SSL certificate. For example, 3rd generation.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.LocalityNameThe locality of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.SurNameThe surname of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.CommonNameThe common name of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.JurisdictionLocalityNameThe jurisdiction locality of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.StreetAddressThe street address of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.PostalCodeThe postal code of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.PostalAddressThe postal address of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.JurisdictionCountryNameThe jurisdiction country name of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.CountryNameThe country of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.EmailAddressThe email address of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Subject.DomainNameQualifierThe domain name qualifier of the holder of the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.OrganizationalUnitNameThe unit name of the organization of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.OrganizationNameThe name of the organization of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.BusinessCategoryThe business category of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.TitleThe title of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.SerialNumberThe serial number of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.StateOrProvinceNameThe state or province of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.DomainComponentThe DNS domain name of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.GivenNameThe given name of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.PseudonymThe pseudonym of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.JurisdictionStateOrProvinceNameThe jurisdiction state or province of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.GenerationQualifierThe generation qualifier of the authority that issued the endpoint SSL certificate. For example, 3rd generation.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.LocalityNameThe locality of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.SurNameThe surname of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.CommonNameThe common name of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.JurisdictionLocalityNameThe jurisdiction locality of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.StreetAddressThe street address of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.PostalCodeThe postal code of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.PostalAddressThe postal address of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.JurisdictionCountryNameThe jurisdiction country name of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.CountryNameThe country of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.EmailAddressThe email address of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Issuer.DomainNameQualifierThe domain name qualifier of the authority that issued the endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Extentions.IssuerAlternativeNameThe alternate names of the issuer.String
TroubleShoot.Endpoint.SSL/TLS.Certificates.Decode.Extentions.SubjectAlternativeNameThe alternate names of the subject.String
TroubleShoot.Endpoint.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidBeforeThe beginning of the validity period for the certificate in UTC format.Date
TroubleShoot.Endpoint.SSL/TLS.CustomCertificateAuthorities.Decode.NotValidAfterThe end of the validity period for the certificate in UTC format.Date
TroubleShoot.Endpoint.SSL/TLS.CustomCertificateAuthorities.Decode.VersionThe version of the certificate.Number
TroubleShoot.Endpoint.SSL/TLS.Certificates.RawThe raw endpoint SSL certificate.String
TroubleShoot.Endpoint.SSL/TLS.IdentifierThe endpoint SSL identifier.String

Command Example#

CertificatesTroubleshoot endpoint=google.com port=443

Context Example#

{
"TroubleShoot": {
"Engine": {
"SSL/TLS": {
"ShellVariables": {
"SSL_CERT_FILE": "/etc/custom-python-ssl/certs.pem",
"CERT_FILE": "/etc/custom-python-ssl/certs.pem"
},
"CustomCertificateAuthorities": [
{
"Decode": {
"Subject": {
"OrganizationalUnitName": [
"Content"
],
"OrganizationName": [
"Demisto"
],
"BusinessCategory": null,
"Title": null,
"SerialNumber": null,
"StateOrProvinceName": [
"Hamerkaz"
],
"DomainComponent": null,
"GivenName": null,
"Pseudonym": null,
"JurisdictionStateOrProvinceName": null,
"GenerationQualifier": null,
"LocalityName": [
"Tel Aviv"
],
"SurName": null,
"CommonName": [
"Demisto TLS"
],
"JurisdictionLocalityName": null,
"StreetAddress": null,
"PostalCode": null,
"PostalAddress": null,
"JurisdictionCountryName": null,
"CountryName": [
"IL"
],
"EmailAddress": [
"test@gmail.com""
],
"DomainNameQualifier": null
},
"Issuer": {
"OrganizationalUnitName": [
"Content"
],
"OrganizationName": [
"Demisto"
],
"BusinessCategory": null,
"Title": null,
"SerialNumber": null,
"StateOrProvinceName": [
"Hamerkaz"
],
"DomainComponent": null,
"GivenName": null,
"Pseudonym": null,
"JurisdictionStateOrProvinceName": null,
"GenerationQualifier": null,
"LocalityName": [
"Tel Aviv"
],
"SurName": null,
"CommonName": [
"Demisto TLS"
],
"JurisdictionLocalityName": null,
"StreetAddress": null,
"PostalCode": null,
"PostalAddress": null,
"JurisdictionCountryName": null,
"CountryName": [
"IL"
],
"EmailAddress": [
"test@gmail.com""
],
"DomainNameQualifier": null
}
},
"Raw": "-----BEGIN CERTIFICATE-----\nxxxxx\n-----END CERTIFICATE-----\n"
}
]
}
},
"Endpoint": {
"SSL/TLS": {
"Certificates": [
{
"Decode": {
"Subject": {
"OrganizationalUnitName": [
"Test"
],
"OrganizationName": [
"Content"
],
"BusinessCategory": null,
"Title": null,
"SerialNumber": null,
"StateOrProvinceName": [
"Demisto"
],
"DomainComponent": null,
"GivenName": null,
"Pseudonym": null,
"JurisdictionStateOrProvinceName": null,
"GenerationQualifier": null,
"LocalityName": null,
"SurName": null,
"CommonName": [
"test.compute.amazonaws.com"
],
"JurisdictionLocalityName": null,
"StreetAddress": null,
"PostalCode": null,
"PostalAddress": null,
"JurisdictionCountryName": null,
"CountryName": [
"IL"
],
"EmailAddress": [
"test@gmail.com""
],
"DomainNameQualifier": null
},
"Issuer": {
"OrganizationalUnitName": [
"Content"
],
"OrganizationName": [
"Demisto"
],
"BusinessCategory": null,
"Title": null,
"SerialNumber": null,
"StateOrProvinceName": [
"Hamerkaz"
],
"DomainComponent": null,
"GivenName": null,
"Pseudonym": null,
"JurisdictionStateOrProvinceName": null,
"GenerationQualifier": null,
"LocalityName": [
"Tel Aviv"
],
"SurName": null,
"CommonName": [
"Demisto TLS"
],
"JurisdictionLocalityName": null,
"StreetAddress": null,
"PostalCode": null,
"PostalAddress": null,
"JurisdictionCountryName": null,
"CountryName": [
"IL"
],
"EmailAddress": [
"test@gmail.com"
],
"DomainNameQualifier": null
}
},
"Raw": "-----BEGIN CERTIFICATE-----\nxxxx\n-----END CERTIFICATE-----\n"
}
],
"Identifier": "test.compute.amazonaws.com",
"NotValidBefore": "2020-09-22 11:37:45",
"NotValidAfter": "2025-09-21 11:37:45",
"Version": 0,
"Extentions: {
"IssuerAlternativeName": [*.google.com, *.appengine.google.com],
"SubjectAlternativeName": [*.google.com, *.appengine.google.com]
}
}
}
}
}

Human Readable Output#

Docker container engine - custom certificate#

Enviorment variables#

CERT_FILESSL_CERT_FILE
/etc/custom-python-ssl/certs.pem/etc/custom-python-ssl/certs.pem

General#

NotValidBeforeNotValidAfterVersion
2020-09-22 15:22:192020-12-15 15:22:192

Issuer#

CommonNameCountryNameEmailAddressLocalityNameOrganizationNameOrganizationalUnitNameStateOrProvinceName
Demisto TLSILall@paloaltonetworks.comTel AvivDemistoContentHamerkaz

Subject#

CommonNameCountryNameEmailAddressLocalityNameOrganizationNameOrganizationalUnitNameStateOrProvinceName
Demisto TLSILall@paloaltonetworks.comTel AvivDemistoContentHamerkaz

Endpoint certificate - ec2-54-220-131-136.eu-west-1.compute.amazonaws.com#

General#

NotValidBeforeNotValidAfterVersion
2020-09-22 15:22:192020-12-15 15:22:192

Issuer#

CommonNameCountryNameEmailAddressLocalityNameOrganizationNameOrganizationalUnitNameStateOrProvinceName
Demisto TLSILall@paloaltonetworks.comTel AvivDemistoContentHamerkaz

Subject#

CommonNameCountryNameEmailAddressOrganizationNameOrganizationalUnitNameStateOrProvinceName
ec2-54-220-131-136.eu-west-1.compute.amazonaws.comILtest@gmail.comContentTestDemisto

Extentions#

IssuerAlternativeName
.google.com,.android.com,.appengine.google.com,.bdn.dev,*.cloud.google.com