Parsing website SSL certificates in Python

9 December 2016

A kindly PythonAnywhere user dropped us a line today to point out that StartCom and WoSign’s SSL certificates are no longer going to be supported in Chrome, Firefox and Safari. I wanted to email all of our customers who were using certificates provided by those organisations.

We have all of the domains we host stored in a database, and it was surprisingly hard to find out how I could take a PEM-formatted certificate (the normal base-64 encoded stuff surrounded by “BEGIN CERTIFICATE” and “END CERTIFICATE”) in a string and find out who issued it.

After much googling, I finally found the right search terms to get to this Stack Overflow post by mhawke, so here’s my adaptation of the code:

from OpenSSL import crypto

for domain in domains:
    cert = crypto.load_certificate(crypto.FILETYPE_PEM, domain.cert)
    issuer = cert.get_issuer().CN
    if issuer is None:
        # This happened with a Cloudflare-issued cert
    if "startcom" in issuer.lower() or "wosign" in issuer.lower():
        # send the user an email