Skip to content

goodthingsdev/ssl-eval

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
ssl-cert-audit.sh
ssl-cert-audit.sh
 
 

Repository files navigation

SSL Certificate Coverage Audit

A bash script to audit SSL/TLS certificate coverage across subdomains. Identifies which subdomains will fail when certificates expire by verifying actual certificate coverage (SANs/wildcards).

Features

  • Discovers subdomains via Certificate Transparency logs (crt.sh)
  • Optional DNS-based discovery via subfinder
  • Checks certificate coverage against Subject Alternative Names (SANs)
  • Identifies auto-renewing vs manual renewal certificates
  • Groups results by certificate provider (Let's Encrypt, AWS ACM, Cloudflare, etc.)
  • Exports detailed CSV reports

Requirements

  • macOS (bash 3.x compatible)
  • openssl
  • curl
  • jq
  • subfinder (optional, for DNS-based discovery)

Usage

# Basic usage - audit a domain
./ssl-cert-audit.sh example.com

# With additional subdomain list
./ssl-cert-audit.sh -f subdomains.txt example.com

Output

Results are saved to ./ssl-audit-results/:

  • CSV file with detailed certificate info per subdomain
  • Summary text file with action items

Certificate Provider Detection

The script identifies certificate issuers and their renewal requirements:

  • AUTO - Let's Encrypt (auto-renews via ACME)
  • AWS_MANAGED - AWS Certificate Manager
  • CLOUDFLARE - Cloudflare managed
  • GOOGLE_MANAGED - Google Trust Services
  • MANUAL - Requires manual renewal

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages