All scripts
analysis
Advanced
2–8 min

TLS / Cert & Cipher Auditor

Management/control plane crypto audit: SSH host-key strength, HTTPS/RESTCONF cert chain validity, expiry windows, weak cipher/KEX detection, RADIUS/TACACS TLS, and CRL/OCSP reachability.

Cisco IOS/XE/XR
Juniper
Arista
Nokia SR-OS
F5
Palo Alto
Open in GeneratorOpen in Platform
You're viewing a preview

The full script, parameters, and execution console are available with a free account.

Already have access? Sign in →

Capabilities

  • SSH host-key algo audit
  • HTTPS cert chain walk
  • Expiry windowing (30/60/90d)
  • Weak cipher/KEX scan
  • TLS 1.0/1.1 detection
  • SAN/CN hostname match
  • CRL/OCSP reachability
  • RADSEC/TACACS+ TLS check

Required inputs

Parameters the script accepts. Defaults shown; some are vendor- or context-gated.

ParameterTypeDefaultNotes
Cert expiry warn (days)
warn_days
number30
Cert expiry crit (days)
crit_days
number7
Min RSA key size
min_rsa_bits
number2048
Palo Alto PAN-OS 11+ enforces ≥3072-bit RSA — minimum auto-raised to match.
Forbidden ciphers (CSV)
forbid_ciphers
string3DES,RC4,NULL,EXPORT
Min TLS version
min_tls
string1.2
F5 BIG-IP profiles default to TLSv1.2 — pinned to prevent unsupported negotiation.
Verify CRL/OCSP reachable
check_crl
booltrue

Hint 1Name your vendors and OS versions

Mention the exact platforms you run (Cisco IOS/XE/XR, Juniper, Arista, …) so the generated analysis logic uses the right CLI/NETCONF syntax.

Hint 2State your real thresholds

Provide concrete values for Cert expiry warn (days), Cert expiry crit (days), Min RSA key size instead of the defaults — they shape what counts as a fault.

Hint 3Prioritize the checks you need

This tool can sSH host-key algo audit and hTTPS cert chain walk. Ask for the subset relevant to your incident to keep output focused.

Hint 4Describe your inventory format

Tell the assistant whether your device list is CSV, YAML, or JSON and which columns it has, so parsing matches your data.

Sample inventory schema

Authoritative shape of the device/policy data this script consumes.

No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.

Expected output

Reference terminal output the script should produce — used as a stylistic and structural target.

terminal
TLS / CERT AUDIT — 47 endpoints
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

CERTIFICATE EXPIRY:
  Endpoint                    CN                    Expires         Days
  https://core-rtr-01:443     core-rtr-01.lab.io    2026-08-12      91   ✓
  https://core-rtr-02:443     core-rtr-02.lab.io    2026-06-04      22   ⚠ <30d
  https://edge-rtr-03:443     edge-rtr-03.lab.io    2026-05-18      05   ← CRITICAL
  https://pe-rtr-01:443       *.pe.lab.io           EXPIRED         -3   ← EXPIRED!