Open djcode opened 1 month ago
@djcode This would be super helpful to me.
It might be even better to return the shortest key by type in the cert chain, in order to identify weak certs, similar to how probe_ssl_last_chain_expiry_timestamp_seconds
considers the whole cert chain (tls.ConnectionState.VerifiedChains
docs).
I.e. I want to be able to spot an intermediate cert with 256bit RSA, even when the last chain element is RSA 4096.
Adding this PR as a request for feedback. I feel this still needs some more testing and tweaking (I have only tested the TCP side of this, but HTTP and GRPC should work in theory)
I wanted more information around the key behind certificates gathered by blackbox exporter. This code adds a new metric.
In this output fingerprint_sha256 is a sha256sum of the raw public key from the certificate. This way, you can detect two certificates sharing the same key (or a certificate reissue not also rotating the key).