Add support for asserting that all given certificates are present for a specified site

Question

Add support for asserting that all given certificates are present for a specified site

atc0005 opened this issue 10 months ago · 1 comments

atc0005 commented 10 months ago

Given:

1 or more certificate files (leaf, intermediates bundle)
target server (URL or explicit server / port pair)

Expect:

all that all certificates are offered by server at the specified port / hostname (or IP Address)
(optionally) all specified certificates offered by the server are in the given order

Answer 1 · 2023-11-14T20:17:33.000Z

The use for this feature surfaced during some troubleshooting earlier this AM.

An attempt to import a certificate bundle (leaf + two intermediates) failed for an IIS system resulting in just the leaf certificate offered to clients.

Using lscert it was clear that only the leaf cert was offered, but it was not immediately clear that the certificate offered was the same one included in the imported certificate bundle (and not a previous one being replaced with sufficient lifetime to avoid triggering expiration warnings).

Ideally, I could have used a flag to specify the cert file and one or more other flags to specify the target server to evaluate along with any specific cert chain requirements (ordering, presence of all certs from bundle, etc.).