Proactively Handling Certificate Expiration With ssl-cert-check


Digital certificates have become an essential part of Internet commerce, and are widely used to verify the identity of clients and servers. All digital certificates contain an expiration date which most client and server applications will check before using the certificates contents. If a client or server application detects that a certificate has expired, one or more implementation specific actions (e.g., abort connection, check or update a revocation list, alert user, etc.) are typically performed.

When a web browser encounters an expired certificate, the browser will normally present the user with a warning message indicating that the certificate has expired. Some browsers will continue connecting to the site after presenting the user with the warning, while others will prompt the user with a dialog box requesting their approval to proceed. These warnings are extremely confusing for the typical web user, and cause most users to question the authenticity of the site they are attempting to view.

If an application server detects an expired certificate with a system it is communicating with, the application server may continue processing data as if nothing happened, or the connection may be abruptly terminated. Some applications will log a useful error when this situation is encountered, while others will display “connection failure” messages to indicate a problem with the underlying transport. If an application is configured to abort communications when an expired certificate is encountered, a service interruption will usually result. If the CA (Certificate Authority) used to issue certificates to the company or individual is not available when the expired certificate is detected, the service interruption can quickly escalate to a major disaster. These events not only lead to lost revenue, but the sites credibility is called into question by business partners and users accessing the service with the expired certificate.

I support numerous websites as part of my job, and am always looking for ways to boost uptime and increase user satisfaction with our website. Since an expired certificate would frustrate our users and limit our ability to seamlessly deliver content to our clients, I decided to develop a software tool to monitor our certificate expiration dates. The result of my work is the SSL Certificate Checker (ssl-cert-check), which is a Bourne shell script that utilizes OpenSSL to check certificate expiration dates. ssl-cert-check can extract the certificate expiration date from a live server, or it can be used to view the expiration date from a PEM encoded X.509 certificate file. If ssl-cert-check finds a certificate that will expire within a user defined threshold (e.g., the next 60-days), an e-mail notification is sent to warn the adminstrator.

Using ssl-cert-check

ssl-cert-check is provided free of charge, and can be downloaded from the prefetch.net web servers:

$ wget https://raw.githubusercontent.com/Matty9191/ssl-cert-check/master/ssl-cert-check

ssl-cert-check comes with several options, which can be viewed with the the “-h” (help) option:

$ ssl-cert-check -h

Usage: ssl-cert-check [ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ] [-i]
       {[ -s common_name ] && [ -p port]} || {-f cert_file} || {-c certificate file}

  -a               : Send a warning message through email
  -c cert file     : Print the expiration date for a PEM formatted
                     certificate passed as an option
  -e email address : Email address to send expiration notices
  -f cert file     : File with a list of FQDNs and ports
  -h               : Print this screen
  -i               : Print the issuer of the certificate
  -p port          : Port to connect to (interactive mode)
  -s commmon name  : Server to connect to (interactive mode)
  -q               : Don't print anything on the console
  -x days          : Certificate expiration interval (eg. if cert_date < days)

Running ssl-cert-check Against a Certificate File

If you manage numerous certificates on a web server, you can use ssl-cert-check to print the expiration date for each certificate. To view the date when a certificate stored in the file cacert.pem will expire, ssl-cert-check can be executed with the “-c” (certificate file to process) option and the certificate to process:

$ ssl-cert-check -c /etc/ca/cacert.pem

Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
FILE:/etc/ca/cacert.pem                         Valid        Jan 2 2008   807

ssl-cert-check will print the file or hostname in the first column, a value to indicate if the certifciate is valid in the second column, the date the certificate will expire in the third column, and the number of days remaining until the certificate expires in the fourth column.

Running ssl-cert-check Against A Network Accessible Server

If you do not have local access to the certificate files, you can use ssl-cert-check’s network connectivity option to extract the certificate expiration date from a live server. To check when the certificate used by the prefetch.net web server will expire, the server name or IP address and a port number can be passed to ssl-cert-check’s “-s” (server name) and “-p” (tcp port) options:

$ ssl-cert-check -s mail.prefetch.net -p 443

Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
prefetch.net:443                                Valid        Jun 20 2006  246

Running ssl-cert-check Against A List Of Servers

If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file:

$ cat ssldomains

prefetch.com 443
mail.prefetch.net 443
gmail.google.com 443
www.sun.com 443
www.spotch.com 443

$ ssl-cert-check -f ssldomains

Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
prefetch.com:443                                Valid        May 23 2006  218
mail.prefetch.net:993                           Valid        Jun 20 2006  246
gmail.google.com:443                            Valid        Jun 7 2006   233
www.sun.com:443                                 Valid        May 11 2009  1302
www.spotch.com:443                              Connection refused Unknown Unknown

It is sometimes useful to view the organization that issued a certificate. When ssl-cert-check is executed with the “-i” (print issuer) option, the issuer is printed along with the certificate expiration date:

$ ssl-cert-check -i -f ssldomains

Host                                Issuer            Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
prefetch.com:443                    Comodo Limited    Valid    May 23 2006 218
mail.prefetch.net:993               Equifax Secure In Valid    Jun 20 2006 246
gmail.google.com:443                Thawte Consulting Valid    Jun 7 2006  233
www.sun.com:443                     Sun Microsystems  Valid    May 11 2009 1302
www.spotch.com:443                  Unknown           Connection refused Unknown Unknown

Getting e-mail Notifications When Certificates Expire

ssl-cert-check can provide e-mail notifications when a certificate is getting close to expiring. The expiration interval can be controlled with ssl-cert-check’s “-x” (expiration interval) option, and the e-mail address to send notifications can be passed as an argument to the “-e” (e-mail address to send alerts) option. The following example uses both options to send an e-mail notification if one of more of the hosts listed in the file ssldomains contains a certificate that will expire within the next 60-days:

$ ssl-cert-check -a -f ssldomains -q -x 60 -e admin@prefetch.net

To get the most benefit from ssl-cert-check, ssl-cert-check should be run daily or weekly from a scheduling facility (e.g., cron).

Conclusion

Expired certificates can lead to a great deal of pain if not caught early enough. ssl-cert-check’s notification features can address this problem, and can be used to automate the cumbersome job of managing certificate expiration data.

Acknowledgements

I would like to thank Chris F.A. Johnson for allowing me to use his julian date routines.

References

The following references were used while writing this article: