2017-03-15 23:57:31 +00:00
---
title: The x509_certificate Resource
2018-02-16 00:28:15 +00:00
platform: os
2017-03-15 23:57:31 +00:00
---
# x509_certificate
2019-04-26 18:24:29 +00:00
Use the `x509_certificate` Chef InSpec audit resource to test the fields and validity of an x.509 certificate.
2017-03-15 23:57:31 +00:00
X.509 certificates use public/private key pairs to sign and encrypt documents
or communications over a network. They may also be used for authentication.
Examples include SSL certificates, S/MIME certificates and VPN authentication
certificates.
2017-10-03 21:35:10 +00:00
<br>
2018-08-09 12:34:49 +00:00
## Availability
### Installation
2019-04-26 18:24:29 +00:00
This resource is distributed along with Chef InSpec itself. You can use it automatically.
2018-08-09 12:34:49 +00:00
### Version
This resource first became available in v1.18.0 of InSpec.
2017-03-15 23:57:31 +00:00
## Syntax
An `x509_certificate` resource block declares a certificate `key file` to be tested.
describe x509_certificate('mycertificate.pem') do
2017-03-20 23:26:57 +00:00
its('validity_in_days') { should be > 30 }
2017-03-15 23:57:31 +00:00
end
2017-10-03 21:35:10 +00:00
<br>
2018-02-15 14:33:22 +00:00
## Properties
2017-03-15 23:57:31 +00:00
2017-03-20 23:26:57 +00:00
### subject.XX
2017-03-15 23:57:31 +00:00
2017-03-20 23:26:57 +00:00
`subject` property makes it easier to access individual subject elements.
2017-03-15 23:57:31 +00:00
2017-03-20 23:26:57 +00:00
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
its('subject.CN') { should eq "www.mywebsite.com" }
end
### subject_dn (String)
2017-03-15 23:57:31 +00:00
2017-03-20 23:26:57 +00:00
The `subject_dn` string returns the distinguished name of the subject field. It contains several fields separated by forward slashes. The field identifiers are the same ones used by OpenSSL to generate CSR's and certs. Use `subject.XX` instead to access the parsed version.
2017-03-15 23:57:31 +00:00
e.g. `/C=US/L=Seattle/O=Chef Software Inc/OU=Chefs/CN=Richard Nixon`
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
2017-03-20 23:26:57 +00:00
its('subject_dn') { should match "CN=www.mywebsite.com" }
2017-03-15 23:57:31 +00:00
end
2017-03-20 23:26:57 +00:00
### issuer.XX
2017-03-15 23:57:31 +00:00
2017-03-20 23:26:57 +00:00
`issuer` makes it easier to access individual issuer elements.
2017-03-15 23:57:31 +00:00
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
2017-03-20 23:26:57 +00:00
its('issuer.CN') { should eq "Acme Trust CA" }
2017-03-15 23:57:31 +00:00
end
2017-03-20 23:26:57 +00:00
### issuer_dn (String)
2017-03-15 23:57:31 +00:00
2017-03-20 23:26:57 +00:00
The `issuer_dn` is the distinguished name from a CA (certificate authority) during the
2017-03-15 23:57:31 +00:00
certificate signing process. It describes which authority is guaranteeing the
identity of our certificate.
e.g. `/C=US/L=Seattle/CN=Acme Trust CA/emailAddress=support@acmetrust.org`
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
2017-03-20 23:26:57 +00:00
its('issuer_cn') { should match "CN=Acme Trust CA" }
2017-03-15 23:57:31 +00:00
end
### public_key (String)
The `public_key` property returns a base64 encoded public key in PEM format.
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
its('public_key') { should match "-----BEGIN PUBLIC KEY-----\nblah blah blah..." }
end
### key_length (Integer)
The `key_length` property calculates the number of bits in the public key.
More bits increase security, but at the cost of speed and in extreme cases, compatibility.
2017-03-20 23:26:57 +00:00
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
2017-03-15 23:57:31 +00:00
its('key_length') { should be 2048 }
end
### signature_algorithm (String)
The `signature_algorithm` property describes which hash function was used by the CA to
sign the certificate.
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
its('signature_algorithm') { should be 'sha256WithRSAEncryption' }
end
2018-06-06 18:10:48 +00:00
### validity\_in\_days (Float)
2017-03-15 23:57:31 +00:00
2017-03-20 23:26:57 +00:00
The `validity_in_days` property can be used to check that certificates are not in
2017-03-15 23:57:31 +00:00
danger of expiring soon.
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
2017-03-20 23:26:57 +00:00
its('validity_in_days') { should be > 30 }
2017-03-15 23:57:31 +00:00
end
2018-06-06 18:10:48 +00:00
### not\_before and not\_after (Time)
2017-03-15 23:57:31 +00:00
The `not_before` and `not_after` properties expose the start and end dates of certificate
validity. They are exposed as ruby Time class so that date arithmetic can be easily performed.
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
its('not_before') { should be <= Time.utc.now }
its('not_after') { should be >= Time.utc.now }
end
### serial (Integer)
The `serial` property exposes the serial number of the certificate. The serial number is set by the CA during the signing process and should be unique within that CA.
2017-03-20 23:26:57 +00:00
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
its('serial') { should eq 9623283588743302433 }
end
2017-03-15 23:57:31 +00:00
### version (Integer)
The `version` property exposes the certificate version.
2017-03-20 23:26:57 +00:00
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
its('version') { should eq 2 }
end
2017-03-15 23:57:31 +00:00
### extensions (Hash)
The `extensions` hash property is mainly used to determine what the certificate can be used for.
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
# Check what extension categories we have
2017-03-20 23:26:57 +00:00
its('extensions') { should include 'keyUsage' }
its('extensions') { should include 'extendedKeyUsage' }
its('extensions') { should include 'subjectAltName' }
2017-03-15 23:57:31 +00:00
# Check examples of basic 'keyUsage'
2017-03-20 23:26:57 +00:00
its('extensions.keyUsage') { should include 'Digital Signature' }
its('extensions.keyUsage') { should include 'Non Repudiation' }
its('extensions.keyUsage') { should include 'Data Encipherment' }
2017-03-15 23:57:31 +00:00
# Check examples of newer 'extendedKeyUsage'
2017-03-20 23:26:57 +00:00
its('extensions.extendedKeyUsage') { should include 'TLS Web Server Authentication' }
its('extensions.extendedKeyUsage') { should include 'Code Signing' }
2017-03-15 23:57:31 +00:00
# Check examples of 'subjectAltName'
2017-03-20 23:26:57 +00:00
its('extensions.subjectAltName') { should include 'email:support@chef.io' }
2017-03-15 23:57:31 +00:00
end