Bulk check SSL certificate expirationΒΆ


It’s some easy thing to do, but not explained anywhere. Python certificate support is inexistant, coding your own SSL wrapper kinda sucks.. well, there’s openssl anyways!

The thing is, openssl man page is kinda long and obscure, so here’s a snippet that’ll do it, since I will forget about the options in 2 days from now ... :p

Usage: ./check_expiration www.verisign.com
[-] Certificate for www.verisign.com has not expired yet: May 8 23:59:59 2009 GMT
dates=$(echo "GET /" |openssl s_client -connect "$1:443" 2> /dev/null |openssl x509 -noout -dates)
# For STARTTLS over e.g. smtp, replace the offending field by:
# openssl s_client -connect "$1:25" -starttls smtp
if [ -z "$dates" ]; then
    echo "[!] Invalid IP, not SSL or no cert found"
    exit 2
not_after=$(echo $dates|cut -d '=' -f 3)
now_epoch=$(date +%s)
not_after_epoch=$(date +%s -d "$not_after")
if [ $now_epoch -gt $not_after_epoch ]; then
    echo "[!] Certificate for $1 has expired: $not_after"
    exit 1
    echo "[-] Certificate for $1 has not expired yet: $not_after"