All scripts
analysis
Advanced
2–8 min
TLS / Cert & Cipher Auditor
Management/control plane crypto audit: SSH host-key strength, HTTPS/RESTCONF cert chain validity, expiry windows, weak cipher/KEX detection, RADIUS/TACACS TLS, and CRL/OCSP reachability.
Cisco IOS/XE/XR
Juniper
Arista
Nokia SR-OS
F5
Palo Alto
You're viewing a preview
The full script, parameters, and execution console are available with a free account.
Already have access? Sign in →
Capabilities
- SSH host-key algo audit
- HTTPS cert chain walk
- Expiry windowing (30/60/90d)
- Weak cipher/KEX scan
- TLS 1.0/1.1 detection
- SAN/CN hostname match
- CRL/OCSP reachability
- RADSEC/TACACS+ TLS check
Required inputs
Parameters the script accepts. Defaults shown; some are vendor- or context-gated.
| Parameter | Type | Default | Notes |
|---|---|---|---|
Cert expiry warn (days) warn_days | number | 30 | — |
Cert expiry crit (days) crit_days | number | 7 | — |
Min RSA key size min_rsa_bits | number | 2048 | Palo Alto PAN-OS 11+ enforces ≥3072-bit RSA — minimum auto-raised to match. |
Forbidden ciphers (CSV) forbid_ciphers | string | 3DES,RC4,NULL,EXPORT | — |
Min TLS version min_tls | string | 1.2 | F5 BIG-IP profiles default to TLSv1.2 — pinned to prevent unsupported negotiation. |
Verify CRL/OCSP reachable check_crl | bool | true | — |
Sample inventory schema
Authoritative shape of the device/policy data this script consumes.
No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.
Expected output
Reference terminal output the script should produce — used as a stylistic and structural target.
terminal
TLS / CERT AUDIT — 47 endpoints ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ CERTIFICATE EXPIRY: Endpoint CN Expires Days https://core-rtr-01:443 core-rtr-01.lab.io 2026-08-12 91 ✓ https://core-rtr-02:443 core-rtr-02.lab.io 2026-06-04 22 ⚠ <30d https://edge-rtr-03:443 edge-rtr-03.lab.io 2026-05-18 05 ← CRITICAL https://pe-rtr-01:443 *.pe.lab.io EXPIRED -3 ← EXPIRED!