Script to check SSL Certificates

A downstream service that was being consumed at work had an expired SSL certificate and it caused complication for our application. The knee jerk reaction once the dust had settled was to make sure that everything was in order with our own certificates.

I wrote a script which uses the openssl tool to check a list of SSL certificates (in certs_to_check.txt) and output the details to a pipe delimited document, which is then imported into Confluence (wiki software) as a table format using their java CLI tools. I’ve also added some wiki markup in the output document which colorises the page, putting the status in red or green depending on the validity of the certificate. This then becomes a central place to check on the status of our certs, rather than having to remember where each certificate is installed, and assume that some alerts will fire from there when they are near expiry.


#!/bin/bash
echo "||Certificate||Expiry date||Status||Days to expire||" > /usr/vchecker/results
for name in $(cat certs_to_check.txt); do
 cert=/usr/vchecker/working/${name}.cert
 openssl s_client -connect ${name}:443 > $cert <<EOD
^D
EOD
 returncode=$(grep 'return code' $cert)
 if [ "$(echo ${returncode} | grep -c 'ok')" -lt 1 ]; then
 valid="{color:red}Not Valid{color}:${returncode}"
 else
 valid="{color:green}Valid{color}:${returncode}"
 fi
 expiry=$(openssl x509 -in ${cert} -noout -enddate | cut -d'=' -f2 | awk '{print $2 " " $1 " " $4}')

 # figure out number of days until the cert expires
 # convert expiry date to epoch time
 epochExpirydate=$(date -d"${expiry}" +%s)
 epochToday=$(date +%s)
 secondsToExpire=$(echo ${epochExpirydate} - ${epochToday} | bc)
 daysToExpire=$(echo "${secondsToExpire} / 60 / 60 / 24" | bc)
 echo "|${name}|${expiry}|${valid}|${daysToExpire}|" >> /usr/vchecker/results
done

The resulting wiki page looks something like this:

Example wiki page

Example of report uploaded to confluence

If you wanted to you could also add some alerting into the script, for example for certificates with less than 30 days to expiry:

daysToExpire=$(echo "${secondsToExpire} / 60 / 60 / 24" | bc)
if [ "${daysToExpire}" -lt "30" ]; then
 echo "Warning: SSL Certificate ${name} has ${daysToExpire} until expiry." | mail -s "SSL Certificate warning" someone@example.com
fi

However in our case we are feeding the output file into our central monitoring and alerting system where the alerting is handled in a unified way.

4 thoughts on “Script to check SSL Certificates”

  1. What is the “-d” option of your `date` command? It doesn’t work on either of my systems. The “-d” is for timezone on Mac OS and FreeBSD.

    1. date -d allows you to do simple date maths from a Linux shell, like:

      $ date -d "+10 days"
      Fri Nov 23 04:16:10 PST 2012
      $ date -d "-5 hours"
      Mon Nov 12 23:16:21 PST 2012
      
  2. And it also allows you to change the format of the date string, to another specified format, which is whats happening in my script above.

    The man page says “-d, –date=STRING
    display time described by STRING, not ‘now’”

  3. Super! Thank you. On my Mac, I had to change the format string as follows:

    epochExpirydate=$(date -j -f “%d %b %Y” “${expiry}” +%s)

Got a comment? Don't be shy: