Bulk check SSL certificate expiration

Posted on May 6th, 2008

You can follow any responses to this entry through the RSS 2.0 feed.

It’s some easy thing to do, but not explained anywhere. Python certificate support is inexistant, coding your own SSL wrapper kinda sucks.. well, there’s openssl anyways!

The thing is, openssl man page is kinda long and obscure, so here’s a snippet that’ll do it, since I will forget about the options in 2 days from now … :p

Usage: ./check_expiration www.verisign.com
[-] Certificate for www.verisign.com has not expired yet: May 8 23:59:59 2009 GMT

#!/bin/bash
dates=$(echo "GET /" |openssl s_client -connect "$1:443" 2> /dev/null |openssl x509 -noout -dates)
# For STARTTLS over e.g. smtp, replace the offending field by:
# openssl s_client -connect "$1:25" -starttls smtp
if [ -z "$dates" ]; then
    echo "[!] Invalid IP, not SSL or no cert found"
    exit 2
fi
not_after=$(echo $dates|cut -d '=' -f 3)
now_epoch=$(date +%s)
not_after_epoch=$(date +%s -d "$not_after")
if [ $now_epoch -gt $not_after_epoch ]; then
    echo "[!] Certificate for $1 has expired: $not_after"
    exit 1
else
    echo "[-] Certificate for $1 has not expired yet: $not_after"
fi

You can leave a response, or trackback from your own site.

2 Responses to “Bulk check SSL certificate expiration”

  1. Wingi says:
    July 25th, 2008 at 12:15 pm

    Thanx!

  2. Vlad says:
    October 31st, 2008 at 9:31 am

    Hi Kang, this script might be even more useful if it gave a warning for certificates expiring within a … month, fortnight, week …. or whatever gets specified as a parameter.

Leave a Reply