Skip to main content

x509_certificate resource

Use the x509_certificate Chef InSpec audit resource to test the fields and validity of an x.509 certificate.

X.509 certificate uses public or private key pairs to sign and encrypt communications and documents over a network. These certificates are also used for network authentication. Examples include Secure Sockets Layer (SSL) certificates, Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates, and Virtual Private Network (VPN) authentication certificates.

Availability

Install

Chef InSpec distributes this resource.

Version

This resource is available from InSpec version 1.18.

Syntax

An x509_certificate resource block declares a certificate key file to be tested.

describe x509_certificate('certificate.pem') do
  its('validity_in_days') { should be > 30 }
end

The filepath property can also be used.

describe x509_certificate(filepath: 'certificate.pem') do
  its('validity_in_days') { should be > 30 }
end

This resource also supports passing the content of the certificate.

cert_content = file('certificate.pem').content

describe x509_certificate(content: cert_content) do
  its('validity_in_days') { should be > 30 }
end

The content value is used if the content and filepath are specified.

Properties

subject.XX

The subject (string) property accesses the individual subject elements.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('subject.CN') { should eq "www.example.com" }
end

subject_dn

The subject_dn (string) property returns the distinguished name of the subject field. It contains many fields separated by forward slashes (/). The field identifiers are the same ones used by OpenSSL to generate Certificate Signing Requests (CSR’s) and certificates. To access the parsed version, use subject.XX instead.

For example, /C=US/L=Seattle/O=Chef Software Inc/OU=Chefs/CN=Richard Nixon

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('subject_dn') { should match "CN=www.example.com" }
end

issuer.XX

The issuer (string) property accesses the individual issuer elements.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('issuer.CN') { should eq "Acme Trust CA" }
end

issuer_dn

During the certificate signing process, the issuer_dn (string) property is the distinguished name from a Certificate Authority (CA). This property states which authority is guaranteeing the identity of the certificate.

For example, /C=US/L=Seattle/CN=Acme Trust CA/emailAddress=support@acmetrust.org

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('issuer_cn') { should match "CN=NAME CA" }
end

public_key

The public_key (string) property returns a base64 encoded public key in PEM format.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('public_key') { should match "-----BEGIN PUBLIC KEY-----\nblah blah blah..." }
end

key_length

The key_length (integer) property calculates the number of bits in the public key. If the length of bits in the public key increases, the public keys are secure. However, at the cost of speed and compatibility.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('key_length') { should be 2048 }
end

keylength

The keylength (integer) property is an alias of the key_length property.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('keylength') { should be 2048 }
end

signature_algorithm

The signature_algorithm (string) property describes the CA’s hash function to sign the certificate.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('signature_algorithm') { should be 'sha256WithRSAEncryption' }
end

validity_in_days

The validity_in_days (float) property is used to check the validity of the certificates.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('validity_in_days') { should be > 30 }
end

not_before and not_after

The not_before and not_after (time) properties expose the start and end dates of certificate validity. These dates are exposed as Ruby Time class and perform date calculations.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('not_before') { should be <= Time.utc.now }
  its('not_after')  { should be >= Time.utc.now }
end

serial

The serial (integer) property exposes the certificate’s serial number. The CA sets the serial number during the signing process and should be unique within that CA.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('serial') { should eq 9623283588743302433 }
end

version

The version (integer) property exposes the certificate version.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('version') { should eq 2 }
end

extensions

The extensions (hash) property is mainly used to determine the purpose of the certificate.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  # Check what extension categories we have
  its('extensions') { should include 'keyUsage' }
  its('extensions') { should include 'extendedKeyUsage' }
  its('extensions') { should include 'subjectAltName' }

  # Check examples of basic 'keyUsage'
  its('extensions.keyUsage') { should include 'Digital Signature' }
  its('extensions.keyUsage') { should include 'Non Repudiation' }
  its('extensions.keyUsage') { should include 'Data Encipherment' }

  # Check examples of newer 'extendedKeyUsage'
  its('extensions.extendedKeyUsage') { should include 'TLS Web Server Authentication' }
  its('extensions.extendedKeyUsage') { should include 'Code Signing' }

  # Check examples of 'subjectAltName'
  its('extensions.subjectAltName') { should include 'email:support@chef.io' }
end

email

The email (string) property checks for the email address of the certificate. This is equivalent to invoking the property subject.emailAddress.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('email') { should_not be_empty }
  its('email') { should eq 'admin@example.com' }
end

subject_alt_names

The subject_alt_names (string) property checks for the subject alternative names (additional host names) of the certificate.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  its('subject_alt_names') { should include 'DNS:example.com' }
  its('subject_alt_names') { should include 'DNS:www.example.com' }
end

Matchers

For a full list of available matchers, please visit our matchers page.

The specific matchers of this resource are: be_valid, be_certificate and have_purpose.

be_valid

The be_valid matcher tests if the specified certificate is valid.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  it { should be_valid }
end

be_certificate

The be_certificate matcher tests if the specified content or file is a certificate.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  it { should be_certificate }
end

have_purpose

The have_purpose matcher tests if the certificate meets the specified purpose.

describe x509_certificate('/etc/pki/www.example.com.pem') do
  it { should have_purpose('SSL client CA : Yes') }
  it { should have_purpose('SSL server CA : Yes') }
end
Edit this page on GitHub

Thank you for your feedback!

×