I made some major enhancements to ssl-cert-check, and released a new version to the daemons.net web server. The new version no longer requires GNU date, which should make it a bit more portable. If you have never used ssl-cert-check before, you can start by reviewing the available options with the “-h” (help) option:
$ ssl-cert-check -h
Usage: ssl-cert-check {[ -c certificate file ]} || {[ -b ] && [ -f cert_file ]} || {[ -s common_name ] && [ -p port]}}
[ -e email ] [ -x expir_days ] [ -q ] [ -a ] [ -h ]
-a : Send a warning message through email
-b : Print the expiration date for all certificates in cert_file (batch mode)
-c cert file : Print the expiration date for a PEM formatted certificate passed as an option
-e email address : Email address to send expiration notices
-f cert file : File with a list of common names and ports (eg., blatch.com 443)
-h : Print this screen
-p port : Port to connect to (interactive mode)
-s commmon name : Server to connect to (interactive mode)
-q : Don't print anything on the console
-x days : Certificate expiration interval (eg. if cert_date < days)
If you wish to view the expiration date for a PEM encoded X.509 certificate, ssl-cert-check can be invoked with the “-c” (certificate file to process) option and a certificate file to process:
$ ssl-cert-check -c /etc/ca/cacert.pem
Host Status Expires Days Left
FILE:/etc/ca/cacert.pem Valid Jan 2 2008 815
To check when an SSL-enabled server’s certificate will expire, ssl-cert-check can be executed with the “-s” (server name) and “-p” (TCP port to use) options:
$ ssl-cert-check -s mail.daemons.net -p 443
Host Status Expires Days Left
mail.daemons.net:443 Valid Jun 20 2006 254
If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file:
$ cat ssldomains
www.daemons.com 443
mail.daemons.net 443
gmail.google.com 443
www.sun.com 443
www.spotch.com 443
$ ssl-cert-check -b -f ssldomains
Host Status Expires Days Left
www.daemons.com:443 Valid May 23 2006 226
mail.daemons.net:443 Valid Jun 20 2006 254
gmail.google.com:443 Valid Jun 7 2006 241
www.sun.com:443 Valid May 11 2009 1310
www.spotch.com:443 Connection refused ? ?
ssl-cert-check can also be used to provide automated alerts when certificates are about to expire. The following example uses ssl-cert-check’s “-q” (quiet – don’t write anything to the terminal), “-a” (automated alerts) and “-e” (e-mail address to send alert to) options to send an e-mail to admin@daemons.net if a certificate will expire in the next 60-days:
$ ssl-cert-check -a -f ssldomains -x 60 -b -q -e admin@daemons.net
The automated alert option can also be used with the batch processing mode, and will trigger one automated notification per problematic certificate. Send me an e-mail if you run into any issues.