+----------------------------------------------------------+ CertAlert from Red Kestrel +----------------------------------------------------------+ Version: v3.1.8608.18905 Date: July 27 2023 Company: Red Kestrel Consulting Limited Website: http://www.redkestrel.co.uk E-mail: support@redkestrel.co.uk ************************************************************ If you have any questions, please email us at, support@redkestrel.co.uk. ************************************************************ |----------------------------------------------------------| LICENCE NOTES Please read the LICENCE.txt file for licensing information on this application. |----------------------------------------------------------| DESCRIPTION CertAlert is a .NET console application for managing SSL certificates. It scans your networks based on input IP ranges (or hostnames) and port ranges, and generates detailed CSV and summary PDF reports on the certificates it finds. Detected issues, such as expired, expiring, self-signed, md5, and short key certificates, are highlighted. In addition to displaying progress in a command window, CertAlert can send alerts and reports via email to multiple recipients. It can be run manually from the command window or scheduled to run periodically using the Windows Scheduler. |----------------------------------------------------------| SYSTEM REQUIREMENTS Windows 10 and later or Windows Server 2016 and later CertAlert is a self-contained application that includes all necessary .NET runtime files for its operation. Therefore, there's no need to install a compatible .NET runtime separately. |----------------------------------------------------------| INSTALLATION For any installation queries, please email support@redkestrel.co.uk. Unzip the downloaded .zip file to create a CertAlert- folder. This self-contained application includes all necessary .NET files for operation. Modify the CertAlert.dll.config and serverlist.txt files as per your needs. Refer to the CONFIGURATION section below for detailed instructions. |----------------------------------------------------------| RUNNING CERTALERT * run the following command: CertAlert.exe |----------------------------------------------------------| DISABLE LICENCE PROMPT To disable the licence acceptance prompt, use the 'i_accept_the_licence' command line option when running CertAlert: CertAlert.exe i_accept_the_licence |----------------------------------------------------------| CONFIGURATION CertAlert's primary configuration is within the CertAlert.dll.config XML file. Adjust the settings as detailed below to meet your needs. Any questions? Just email support@redkestrel.co.uk. * Key: ReverseLookup Values: true/false Description: Set true to do reverse lookup on IP addresses where a certificate is found. Note that if the DNS is slow, enabling this setting may slow down the scan. e.g., * Key: EmailReports Values: true/false Description: Set EmailReports true if you wish to receive a report by email at the end of each run. e.g., * Key: ReportConditions Values: NO CERT,EXPIRED,EXPIRING,OK Description: Set this value to the conditions you want to be reported. For example, to only have expired and expiring certificates: e.g., * Key: OverwriteOldReports Values: true/false Description: Set false to have a separate report filename each run. If it is set true, the report file always has the same name so the current report will be overwritten on the next run. e.g., * Key: AlertConditions Values: NO CERT, EXPIRED, EXPIRING Description: Set to indicate the conditions you wish to receive alerts for. You can receive alerts when no cert was found, a cert is expiring, or a cert has expired. e.g., * Key: ConsoleReports Values: true/false Description: Set ConsoleReports true if wish certificate information to be written to the console. e.g., * Key: MailFrom Value: email address Description: Sets the email from address. e.g., e.g., * Key: MailFromDisplayName Values: display name Description: Sets the email display name e.g., * Key: MailTo Values: email addresses Description: A comma separated list of email recipients e.g., * Key: MailAlertsTo Value: email address Description: Only set this if you want your alerts to go to a different email address than reports. e.g., * Key: UseIPRanges Values: true/false Description: Set true if you wish to use the value in IPRanges rather than the contents of the serverlist.txt file. e.g., * Key: IPRanges Values: One or more IPRanges in CIDR or nmap notation Description: Set the IPRanges you wish to scan. Each range should be separated by a comma. e.g., * Key: Ports Values: A list of port numbers and port ranges Description: Set the port numbers you wish to check. e.g., NOTE: A port in serverlist.txt file entry will override this for that entry * Key: SMTPServer Values: hostname or IP Address Description: The SMTP server to use for emailing alerts and reports (See the Configuring SMTP section below if your SMTP server uses authentication, SSL, or a non standard port) * Key: WarningInterval Value: An integer value Description: Set this field to the number of days before expiry to start sending alerts and to change the Status field of console output to EXPIRING. * Key: SmtpStartTlsPorts Value: A list of port numbers Ports you wish to try with SMTP STARTTLS if the initial SSL connection fails e.g., * Key: ServerListFile Value: filename holding hostnames/IPs to check Description: Only set this if you don't want the application to use the serverlist.txt file in the application folder. e.g., * Key: Connections Value: An Integer Value Description: Specify the number of concurrent outgoing connection attempts. On some networks higher values may result in some packet loss due to congestion. e.g., There are also keys that control which columns (fields) are included in the CSV report. Two of these keys are described in more detail below: * Key: VerifyCol Values: true/false Description: Set true if want the certificate chain to be verified using rfc3280 path building and verification and the result to be included in the report. e.g., * Key: PemCertCol Values: true/false Description: Set true if want the PEM encoded cert to be included in reports. e.g., |----------------------------------------------------------| CONFIGURATION of serverlist.txt The serverlist.txt file stores hostnames or IP addresses to be checked. Each entry should be in the format: hostname[:port] If no port is mentioned, the 'Ports' config entry key values are used. For instance, Some examples of entries in serverlist.txt are: amazon.com yahoo.com smtp.gmail.com:587 imap.aol.com:993 smtp.aol.com:465 72.21.210.250 google.com goodreads.com Each hostname or IP address should be on a new line. |----------------------------------------------------------| CONFIGURING SMTP To receive email reports or alerts, an SMTP server needs to be configured in the CertAlert.dll.config file. For a basic setup, define the SMTP server as follows: For servers needing authentication or non-standard ports, additional settings are required. Here's a Gmail setup example: Please replace yourusername@gmail.com and yourgmailpassword with your actual Gmail username and password. |----------------------------------------------------------| RETURN CODES CertAlert returns a value of 0 on success and 1 on failure. |----------------------------------------------------------| RUNNING CERTALERT AUTOMATICALLY You can schedule CertAlert to run automatically on Windows using the Task Scheduler. Remember to: Set the "Start in" value in Task Scheduler to the folder where CertAlert is located. Include i_accept_the_licence as a command-line argument. Don't hesitate to email us if you need any assistance. Here's how to automate CertAlert on Windows 10: Unzip CertAlert to a folder (In this example we use "C:\CertAlert") Open the Windows Task Scheduler - in the Start menu type "Task Scheduler" Create a new task with the following settings: General: Run whether user is logged in or not, Hidden Triggers: Daily Actions: Start program Program/script: C:\CertAlert\CertAlert.exe Arguments: i_accept_the_licence Start in: C:\CertAlert Stop the task if it runs longer than 3 hours (set this value to what's appropriate for your scan) You can test that it works by selecting the task, right clicking and picking "Run". |----------------------------------------------------------| ENABLING EARLIER VERSIONS OF TLS / SSL IMPORTANT: Modern versions of Windows Server may have older, less secure versions of TLS (such as 1.0 and 1.1) disabled by default to enhance system security. When running CertAlert on a system where these older protocols are disabled, it won't be able to identify certificates on machines that still operate using these earlier protocols. To enable these older protocols, you can use the free tool, IISCrypto, from Nartac Software: https://www.nartac.com/Products/IISCrypto By enabling these protocols, CertAlert will be able to identify certificates on machines that still use these earlier protocols. CAUTION: Enabling older, less secure protocols may expose your systems to potential security risks. It is recommended to only do so if authorised and in compliance with your organisation's security policies. |----------------------------------------------------------| ERROR MESSAGES WHEN NO CERTIFICATE FOUND There are a number of short error messages that may appear in the CSV report when no certificate was found. This section provides more detail on what each of the errors mean. * Timed out A connection attempt failed because the connected party did not properly respond after a period of time, or the established connection failed because the connected host has failed to respond. * Refused No connection could be made because the target computer actively refused it. This usually results from trying to connect to a service that is inactive on the foreign host; that is, one with no server application running. * Host not found No such host is known. The name is not an official host name or alias, or it cannot be found in the database(s) being queried. This error may also be returned for protocol and service queries, and means that the specified name could not be found in the relevant database. * Nonauthoritative This is usually a temporary error during host name resolution and means that the local server did not receive a response from an authoritative server. A retry at some time later may be successful. * No DNS record The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. The usual example for this is a host name-to- address translation attempt (using gethostbyname or WSAAsyncGetHostByName) which uses the DNS (Domain Name Server). An MX record is returned but no A record indicating the host itself exists, but it is not directly reachable. * Read failed Unable to read data from the transport connection. A connection attempt failed because the connected party did not properly respond after a period of time. * Handshake failed The handshake failed due to an unexpected packet format. * Auth. Failed Authentication failed because the remote party has closed the transport stream. * Server name mismatch This occurs when there is no domain listed in the certificate that matches the HOST column. This can happen when you are scanning using IP ranges rather than hostnames, and in this situation can be ignored. * Chain errors This occurs when there was a problem building a chain to a trusted certificate. It can also happen due to Server name mismatch when scanning using IP ranges rather than hostnames, and in this situation can be ignored. |----------------------------------------------------------| KNOWN LIMITATIONS CertAlert can retrieve SSL certificates from most common networked applications. However, there may be some applications on your network that use a proprietary or unusual protocol that CertAlert doesn't find the certificate for. If this is the case, please let us know so we can investigate adding support. |----------------------------------------------------------| TROUBLESHOOTING Q. Why do I see this error message Logging Exception: MESSAGE: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Authentication Required. SOURCE: System.Net.Mail A. This error typically arises when you've configured CertAlert to send alerts or reports by email, but the username or password for SMTP server authentication is incorrect. Please verify your SMTP server authentication credentials and try again. Q. Why haven't I received an alert or report email? A. Check that your email client hasn't mistakenly put it in the spam folder. Q. Why does CertAlert not find a certificate I know is being used? A. This issue can arise due to network congestion. Consider reducing the number of connections being used by setting the Connections key to a lower number in the CertAlert.dll.config file: Alternatively, this issue can also occur if the certificate resides on a system configured for an earlier, less secure version of TLS/SSL. Please refer to the "Enabling Earlier Versions of TLS/SSL" section in this README for more information on how to address this issue. Q. How do I switch logging on A. Edit the log4net.config file and set the log level in the section. For example: ... Q. What is the name of the default log file? A. LogFile.txt |----------------------------------------------------------| LEGAL ASPECTS OF USING SCANNING TOOLS LIKE CERTALERT The legal aspects of network scanning are complex. For a comprehensive understanding of how the law applies to your specific situation, consult with a legal professional within your jurisdiction. Before initiating any scanning activities, it's prudent to secure written authorisation from the representatives of the target network. This measure can help prevent potential legal complications. |----------------------------------------------------------| OPEN SOURCE AND PUBLIC DOMAIN LIBRARIES USED BY THIS PRODUCT We would like to express our thanks to authors of the following open source and public domain libraries used by this product: * BouncyCastle * log4net * CsvHelpers * FileHelpers * PdfSharp