Monitoring and Testing SSL/TLS Configuration

Regular testing ensures your SSL/TLS configuration remains secure. Use these tools and commands:

# Test SSL/TLS configuration locally
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

# Check certificate details
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout

# Verify certificate chain
openssl verify -CAfile /etc/letsencrypt/live/example.com/chain.pem /etc/letsencrypt/live/example.com/cert.pem

# Test OCSP stapling
openssl s_client -connect example.com:443 -status -tlsextdebug

# Check supported ciphers
nmap --script ssl-enum-ciphers -p 443 example.com

Online testing tools provide comprehensive analysis:

SSL Labs Server Test (ssllabs.com/ssltest)
Mozilla Observatory (observatory.mozilla.org)
Security Headers (securityheaders.com)

Create monitoring scripts for certificate expiration:

#!/bin/bash
# check-cert-expiry.sh
DOMAIN="example.com"
DAYS=30

expiry_date=$(echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
expiry_epoch=$(date -d "${expiry_date}" +%s)
current_epoch=$(date +%s)
days_left=$(( ($expiry_epoch - $current_epoch) / 86400 ))

if [ $days_left -lt $DAYS ]; then
    echo "WARNING: Certificate for ${DOMAIN} expires in ${days_left} days"
    # Send alert email or notification
fi