A kindly PythonAnywhere user dropped us a line today to point out that StartCom and WoSign's SSL certificates are no longer going to be supported in Chrome, Firefox and Safari. I wanted to email all of our customers who were using certificates provided by those organisations.
We have all of the domains we host stored in a database, and it was surprisingly hard to find out how I could take a PEM-formatted certificate (the normal base-64 encoded stuff surrounded by "BEGIN CERTIFICATE" and "END CERTIFICATE") in a string and find out who issued it.
After much googling, I finally found the right search terms to get to this Stack Overflow post by mhawke, so here's my adaptation of the code:
from OpenSSL import crypto for domain in domains: cert = crypto.load_certificate(crypto.FILETYPE_PEM, domain.cert) issuer = cert.get_issuer().CN if issuer is None: # This happened with a Cloudflare-issued cert continue if "startcom" in issuer.lower() or "wosign" in issuer.lower(): # send the user an email