Skip to content

chrisanag1985/convert_DER_to_zeek_cert

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
README.md
README.md
 
 
convert_der_to_zeek_cert.py
convert_der_to_zeek_cert.py
 
 
get_AIA.sh
get_AIA.sh
 
 

Repository files navigation

Convert DER files to Zeek root_certs

If you want to get rid the notices SSL certificate validation failed with ... messages, you can download the Root Certificate and upload it to Zeek.

Why this happens

Zeek uses Mozilla's list with Root CA's, but some applications store some Root CA's in their local datastore (e.g microsoft update, apple etc.). Hence Zeek cannot resolve properly the certificate.

Bash script to do all the steps

You can run the bash script which search in the Certificate.

Then will extract the AIA URL and download the crt file.

Finally the bash script will execute the Python script and convert it to Zeek suitable format for SSL::root_certs.

Example:

./get_AIA.sh slscr.update.microsoft.com

Output:

["C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft ECC Product Root Certificate Authority 2018"] = "\x30\x82\x04\x62\x30\x82\x03\xE8\xA0\x03\x02\x01\x02\x02\x13\x33\x00\x00\x00\x04\xA1\xF5\xB5\x88\x3D\x3F\x00\x22\x00\x00\x00\x00\x00\x04\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x94\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x57\x61\x73\x68\x69\x6E\x67\x74\x6F\x6E\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x52\x65\x64\x6D\x6F\x6E\x64\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x3E\x30\x3C\x06\x03\x55\x04\x03\x13\x35\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x45\x43\x43\x20\x50\x72\x6F\x64\x75\x63\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x32\x30\x31\x38\x30\x1E\x17\x0D\x31\x38\x30\x39\x32\x38\x32\x31\x33\x34\x32\x30\x5A\x17\x0D\x33\x33\x30\x39\x32\x38\x32\x31\x34\x34\x32\x30\x5A\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x57\x61\x73\x68\x69\x6E\x67\x74\x6F\x6E\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x52\x65\x64\x6D\x6F\x6E\x64\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x32\x30\x30\x06\x03\x55\x04\x03\x13\x29\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x20\x45\x43\x43\x20\x55\x70\x64\x61\x74\x65\x20\x53\x65\x63\x75\x72\x65\x20\x53\x65\x72\x76\x65\x72\x20\x43\x41\x20\x32\x2E\x31\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xFD\x39\x3E\xFB\x55\xAA\x15\x7B\xF9\x24\x17\xFF\xC9\x62\x0E\x1E\x73\x23\x66\xCC\xD0\x18\x47\xEA\xDA\xEE\x5A\xC4\x52\x72\xC8\x9A\x92\xF5\xED\x44\x4C\x0F\x76\x48\x48\x05\x99\x25\x19\xA6\x09\x46\xA6\x71\x5C\x5F\xAD\x7B\x91\x25\x77\x36\xC1\x83\x27\x02\x63\x90\xBB\x88\xFB\xCD\xED\x02\xE8\x0C\x28\xB5\xCB\x1B\x28\xAE\xFF\x07\x73\x58\x87\x2B\xFF\x63\xD1\x33\x4E\x61\x37\xEE\x15\x7C\x25\x40\xA3\x82\x02\x04\x30\x82\x02\x00\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x16\x41\xB1\x07\xC7\x8B\xF3\xD2\x06\x14\x90\x26\x0A\xDB\xB1\x2B\xC0\x44\x62\xC3\x30\x55\x06\x03\x55\x1D\x20\x04\x4E\x30\x4C\x30\x4A\x06\x04\x55\x1D\x20\x00\x30\x42\x30\x40\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x34\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x70\x6B\x69\x6F\x70\x73\x2F\x44\x6F\x63\x73\x2F\x52\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x68\x74\x6D\x00\x30\x13\x06\x03\x55\x1D\x25\x04\x0C\x30\x0A\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x01\x30\x19\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x0C\x1E\x0A\x00\x53\x00\x75\x00\x62\x00\x43\x00\x41\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x43\xEF\x70\x87\xB8\x9D\xBF\xEC\x88\x19\xDC\xC6\xC4\x6B\x75\x0D\x75\x34\x33\x08\x30\x7A\x06\x03\x55\x1D\x1F\x04\x73\x30\x71\x30\x6F\xA0\x6D\xA0\x6B\x86\x69\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x70\x6B\x69\x6F\x70\x73\x2F\x63\x72\x6C\x2F\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x25\x32\x30\x45\x43\x43\x25\x32\x30\x50\x72\x6F\x64\x75\x63\x74\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x25\x32\x30\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x25\x32\x30\x32\x30\x31\x38\x2E\x63\x72\x6C\x30\x81\x87\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x7B\x30\x79\x30\x77\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86\x6B\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\x63\x6F\x6D\x2F\x70\x6B\x69\x6F\x70\x73\x2F\x63\x65\x72\x74\x73\x2F\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x25\x32\x30\x45\x43\x43\x25\x32\x30\x50\x72\x6F\x64\x75\x63\x74\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x25\x32\x30\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x25\x32\x30\x32\x30\x31\x38\x2E\x63\x72\x74\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x3D\x6B\x1E\x33\xF6\x2B\x31\xB6\x58\x1F\x25\x8F\x7E\xF0\x75\xC3\xA6\xD9\xD3\xCA\x34\x3C\xB4\x60\x04\x38\xB9\x25\x9B\xA3\xD4\x42\x1D\x5C\xD8\xE8\x84\x99\x30\x76\xAE\xEC\x71\x6C\x61\x15\x24\x0D\x02\x31\x00\x9D\x4D\xAE\xC4\x64\x55\x22\x74\xAA\xBE\x32\xF3\x02\x74\x41\xF6\x39\x2D\x1E\x22\x6E\x9F\xE7\x5F\xF9\xE1\x46\xDD\x19\x67\x10\xA6\x69\xC9\xB7\x7B\xF4\x3F\x08\xFD\x73\x3B\x3C\xDB\x41\x67\x50\xBA"

Steps for Python Script (If you don't want to run the bash script)

  1. Download the Root Certificate .

  2. If it is in PEM format first run the command to convert it to DER format.

cat o.pem |  sed -n '/BEGIN/,/END/p' | openssl x509 -outform DER > o.der

  1. Then run python3 convert_DER_to_zeek.cert.py <file.der>

  2. Get the output of the above command and copy it to a zeek script file. Output example of the converter:

["KSNGlobalRootCAECC"] = "\x30\x82\x02\x52\x30\x82\x01\xB4\xA0\x03\x02\x01\x02\x02\x10\x14\x69\xC4\x69\xB6\xD5\x4E\x90\x4D\x6B\x82\x01\x4E\xFF\x92\x91\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x55\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x4B\x61\x73\x70\x65\x72\x73\x6B\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x4B\x53\x4E\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x32\x30\x30\x36\x31\x32\x30\x39\x35\x32\x33\x36\x5A\x17\x0D\x33\x35\x30\x36\x31\x32\x31\x30\x30\x32\x33\x35\x5A\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x55\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x4B\x61\x73\x70\x65\x72\x73\x6B\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x4B\x53\x4E\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x81\x9B\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x23\x03\x81\x86\x00\x04\x00\xA8\x6D\x41\xC0\xF8\x37\xA8\xBD\x84\xCB\xC6\x52\xE2\xD1\x07\x24\x05\x35\x77\x60\x5B\x7E\xAA\xC9\xFE\xDA\x07\x38\x4F\xB7\xB0\xA0\x5F\xD1\xA7\x96\x9C\x05\xE3\xC3\xDC\x50\x63\xBA\x63\xD9\x00\x0D\x0A\xAE\x4C\x0C\x90\xA4\x9E\x77\x11\xC6\x8B\x7F\xCC\xB9\x51\xD6\x46\x01\x1D\x22\xD3\x67\x41\xE8\x0B\xEE\xC7\xD6\xAA\xCD\xBA\x7B\x93\x02\xA9\x93\xFD\x8C\x6E\x7E\xA6\x04\xD7\x92\x2B\x77\x9F\xAB\xCD\x0D\x83\xC3\x2E\x5E\x9A\xD4\x3A\x9F\x72\x16\xF3\x2C\xA4\x24\x9B\x66\x65\xDB\x2D\x2D\x06\xC9\x45\x7F\x19\x01\x08\x68\xAE\xA7\x98\x4B\x9F\xA3\x51\x30\x4F\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\x31\xC5\x21\x7B\x9C\xCC\xBB\x8D\xFF\x73\x6D\x13\x94\x33\x51\x21\x3C\x8B\xDC\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x81\x8B\x00\x30\x81\x87\x02\x42\x00\xC2\x28\x41\x40\x53\x00\xBD\x02\x97\x3E\x94\x41\x99\xAE\x70\xE3\x51\x00\x4C\x13\x3D\xFD\xC3\x58\x5A\xBA\x54\xF8\x5F\x82\x9C\x2C\xA1\xC6\x05\x6C\x61\x9F\xA9\x49\x3A\x13\x86\xDB\xA2\xCB\x65\xDC\x07\xF1\xEA\xBB\x00\x18\x70\x29\xF2\x43\xA5\xFD\xC8\x54\x73\x53\xCD\x02\x41\x75\x42\xDB\x08\xA2\xDA\xAA\x8C\xEC\x93\x33\xBF\x02\x6C\xB0\xEA\xCD\x88\x92\x3A\x37\x2E\x6A\x30\x46\xD5\x2B\x14\xAA\x93\x9D\xF8\x05\x0A\x03\x3C\x40\xE8\x81\x3F\xAF\x66\x7F\x67\x96\x65\xE4\x6C\xC3\x89\x30\xBA\xDD\x45\x43\x16\x84\x9F\xB2\x72\x31\x23\xFA\xD6\x80"

How to add it to Zeek

Create a Zeek script which will have structure like the below example:

redef SSL::root_certs += {
  ["KSNGlobalRootCAECC"] = "\x30\x82\x02\x52... ,
  ["test 2"] = "\x30\x82...
};

and load (@load) the zeek script file to your local.zeek .

About

Convert DER files to Zeek SSL::root_certs

Topics

tls ssl x509 pem der zeek self-signed-certificate

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Packages

No packages published

Languages