FAQs

Advanced TLS Renegotiation Detection: Detects scenarios where client certificates are required, including during TLS renegotiation and post-handshake authentication. 

Path-Specific Analysis: Tests multiple URL paths per host, allowing for the detection of endpoint-specific authentication needs, such as for paths like /admin or /api/secure. 

Multi-Vantage Analysis: Scans both from local and public DNS perspectives, highlighting differences between internal and external endpoint behaviour. 

Comprehensive Detection: Utilizes analysis of TLS handshakes, HTTP response codes, and error patterns to determine whether client certificates are required. 

Enterprise-Ready: Offers features like concurrent scanning, detailed reporting, and executive summaries, with three distinct output modes: Executive, Normal, and Verbose. 

Platform Detection: Automatically identifies the hosting platform in use, such as Cloudflare, AWS, or Azure. 

Flexible Output: Generates results in JSON, CSV, and human-readable console formats, with filtering options based on output mode. 

Private CA Detection: Differentiates between certificates issued by public and private Certificate Authorities. 

Single Host Scan 

Multiple Hosts 

Scan from File 

Enterprise-Scale Scan with CSV Export 

Executive Summary Mode 

Verbose Scan with Validation 

Multi-Path Testing 

[!] Likely Requires Client Certificate: Strong evidence of enforcement; migration planning is necessary. 

[?] Possibly Supports Client Authentication: The certificate allows for client authentication, but enforcement cannot be confirmed. 

[+] No Evidence of Client Certificate Enforcement: Endpoint appears safe for use with ServerAuth-only certificates. 

[~] Unclear – Manual Review Recommended: Results are inconclusive; further manual testing is advised. 

[O] Out of Scope – Private CA: Certificate issued by a private or internal CA; deprecation of public CA EKU does not apply. 

Obtain the EKU Advisor package for your operating system from the official distribution source or internal repository. 

Ensure you select the correct version for your platform:  

Windows: ekuadvisor.exe 

Linux: ekuadvisor 

Unzip or extract the downloaded archive to a directory of your choice. 

Recommended: Use a directory with read/write permissions (e.g., C:\Tools\EKUAdvisor on Windows or /opt/ekuadvisor on Linux). 

Network Access: Outbound HTTPS (port 443) must be allowed. 

DNS Resolution: Tool may perform public DNS lookups for analysis. 

No Credentials Needed: EKU Advisor does not require authentication credentials. 

For convenience, add the directory containing the executable to your system PATH:  

Windows:  setx PATH "%PATH%;C:\Tools\ekuadvisor" 

Linux/macOS: export PATH=$PATH:/opt/ekuadvisor 

Windows Example:  

Linux/macOS Example:  

Use -file hosts.txt for scanning multiple hosts. 

Use -executive for business-friendly summaries. 

Use -csv or -json for exporting results. 

Console Summary: Presents actionable, human-readable recommendations. 

JSON: Machine-readable format suitable for automation and dashboards, with three output modes tailored for different audiences. 

CSV: Executive-friendly format, ideal for spreadsheet analysis. 

Requires outbound HTTPS (port 443) connectivity. 

May perform public DNS lookups to assess endpoint behaviour. 

Analyses only public certificate information; does not access authentication credentials. 

Detects client certificate requirements solely during the initial TLS handshake; does not assess mid-connection or application-level authentication triggers.