Digital certificates have become an essential part of Internet commerce, and are widely used to verify the identity of clients and servers. All digital certificates contain an expiration date which most client and server applications will check before using the certificates contents. If a client or server application detects that a certificate has expired, one or more implementation specific actions (e.g., abort connection, check or update a revocation list, alert user, etc.) are typically performed.
When a web browser encounters an expired certificate, the browser will normally present the user with a warning message indicating that the certificate has expired. Some browsers will continue connecting to the site after presenting the user with the warning, while others will prompt the user with a dialog box requesting their approval to proceed. These warnings are extremely confusing for the typical web user, and cause most users to question the authenticity of the site they are attempting to view.
If an application server detects an expired certificate with a system it is communicating with, the application server may continue processing data as if nothing happened, or the connection may be abruptly terminated. Some applications will log a useful error when this situation is encountered, while others will display “connection failure” messages to indicate a problem with the underlying transport. If an application is configured to abort communications when an expired certificate is encountered, a service interruption will usually result. If the CA (Certificate Authority) used to issue certificates to the company or individual is not available when the expired certificate is detected, the service interruption can quickly escalate to a major disaster. These events not only lead to lost revenue, but the sites credibility is called into question by business partners and users accessing the service with the expired certificate.
I support numerous websites as part of my job, and am always looking for ways to boost uptime and increase user satisfaction with our website. Since an expired certificate would frustrate our users and limit our ability to seamlessly deliver content to our clients, I decided to develop a software tool to monitor our certificate expiration dates. The result of my work is the SSL Certificate Checker (ssl-cert-check), which is a Bourne shell script that utilizes OpenSSL to check certificate expiration dates. ssl-cert-check can extract the certificate expiration date from a live server, or it can be used to view the expiration date from a PEM encoded X.509 certificate file. If ssl-cert-check finds a certificate that will expire within a user defined threshold (e.g., the next 60-days), an e-mail notification is sent to warn the adminstrator.
ssl-cert-check is provided free of charge, and can be downloaded from the prefetch.net web servers:
$ wget https://raw.githubusercontent.com/Matty9191/ssl-cert-check/master/ssl-cert-check
ssl-cert-check comes with several options, which can be viewed with the the “-h” (help) option:
$ ssl-cert-check -h
Usage: ssl-cert-check [ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ] [-i]
{[ -s common_name ] && [ -p port]} || {-f cert_file} || {-c certificate file}
-a : Send a warning message through email
-c cert file : Print the expiration date for a PEM formatted
certificate passed as an option
-e email address : Email address to send expiration notices
-f cert file : File with a list of FQDNs and ports
-h : Print this screen
-i : Print the issuer of the certificate
-p port : Port to connect to (interactive mode)
-s commmon name : Server to connect to (interactive mode)
-q : Don't print anything on the console
-x days : Certificate expiration interval (eg. if cert_date < days)
If you manage numerous certificates on a web server, you can use ssl-cert-check to print the expiration date for each certificate. To view the date when a certificate stored in the file cacert.pem will expire, ssl-cert-check can be executed with the “-c” (certificate file to process) option and the certificate to process:
$ ssl-cert-check -c /etc/ca/cacert.pem
Host Status Expires Days Left
----------------------------------------------- ------------ ------------ ----------
FILE:/etc/ca/cacert.pem Valid Jan 2 2008 807
ssl-cert-check will print the file or hostname in the first column, a value to indicate if the certifciate is valid in the second column, the date the certificate will expire in the third column, and the number of days remaining until the certificate expires in the fourth column.
If you do not have local access to the certificate files, you can use ssl-cert-check’s network connectivity option to extract the certificate expiration date from a live server. To check when the certificate used by the prefetch.net web server will expire, the server name or IP address and a port number can be passed to ssl-cert-check’s “-s” (server name) and “-p” (tcp port) options:
$ ssl-cert-check -s mail.prefetch.net -p 443
Host Status Expires Days Left
----------------------------------------------- ------------ ------------ ----------
prefetch.net:443 Valid Jun 20 2006 246
If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file:
$ cat ssldomains
prefetch.com 443
mail.prefetch.net 443
gmail.google.com 443
www.sun.com 443
www.spotch.com 443
$ ssl-cert-check -f ssldomains
Host Status Expires Days Left
----------------------------------------------- ------------ ------------ ----------
prefetch.com:443 Valid May 23 2006 218
mail.prefetch.net:993 Valid Jun 20 2006 246
gmail.google.com:443 Valid Jun 7 2006 233
www.sun.com:443 Valid May 11 2009 1302
www.spotch.com:443 Connection refused Unknown Unknown
It is sometimes useful to view the organization that issued a certificate. When ssl-cert-check is executed with the “-i” (print issuer) option, the issuer is printed along with the certificate expiration date:
$ ssl-cert-check -i -f ssldomains
Host Issuer Status Expires Days Left
----------------------------------- ----------------- -------- ----------- ---------
prefetch.com:443 Comodo Limited Valid May 23 2006 218
mail.prefetch.net:993 Equifax Secure In Valid Jun 20 2006 246
gmail.google.com:443 Thawte Consulting Valid Jun 7 2006 233
www.sun.com:443 Sun Microsystems Valid May 11 2009 1302
www.spotch.com:443 Unknown Connection refused Unknown Unknown
ssl-cert-check can provide e-mail notifications when a certificate is getting close to expiring. The expiration interval can be controlled with ssl-cert-check’s “-x” (expiration interval) option, and the e-mail address to send notifications can be passed as an argument to the “-e” (e-mail address to send alerts) option. The following example uses both options to send an e-mail notification if one of more of the hosts listed in the file ssldomains contains a certificate that will expire within the next 60-days:
$ ssl-cert-check -a -f ssldomains -q -x 60 -e admin@prefetch.net
To get the most benefit from ssl-cert-check, ssl-cert-check should be run daily or weekly from a scheduling facility (e.g., cron).
Expired certificates can lead to a great deal of pain if not caught early enough. ssl-cert-check’s notification features can address this problem, and can be used to automate the cumbersome job of managing certificate expiration data.
I would like to thank Chris F.A. Johnson for allowing me to use his julian date routines.
The following references were used while writing this article: