Script to check SSL Certificates

A downstream service that was being consumed at work had an expired SSL certificate and it caused complication for our application. The knee jerk reaction once the dust had settled was to make sure that everything was in order with our own certificates.

I wrote a script which uses the openssl tool to check a list of SSL certificates (in certs_to_check.txt) and output the details to a pipe delimited document, which is then imported into Confluence (wiki software) as a table format using their java CLI tools. I’ve also added some wiki markup in the output document which colorises the page, putting the status in red or green depending on the validity of the certificate. This then becomes a central place to check on the status of our certs, rather than having to remember where each certificate is installed, and assume that some alerts will fire from there when they are near expiry.

echo "||Certificate||Expiry date||Status||Days to expire||" > /usr/vchecker/results
for name in $(cat certs_to_check.txt); do
 openssl s_client -connect ${name}:443 > $cert <<EOD
 returncode=$(grep 'return code' $cert)
 if [ "$(echo ${returncode} | grep -c 'ok')" -lt 1 ]; then
 valid="{color:red}Not Valid{color}:${returncode}"
 expiry=$(openssl x509 -in ${cert} -noout -enddate | cut -d'=' -f2 | awk '{print $2 " " $1 " " $4}')

 # figure out number of days until the cert expires
 # convert expiry date to epoch time
 epochExpirydate=$(date -d"${expiry}" +%s)
 epochToday=$(date +%s)
 secondsToExpire=$(echo ${epochExpirydate} - ${epochToday} | bc)
 daysToExpire=$(echo "${secondsToExpire} / 60 / 60 / 24" | bc)
 echo "|${name}|${expiry}|${valid}|${daysToExpire}|" >> /usr/vchecker/results

The resulting wiki page looks something like this:

Example wiki page

Example of report uploaded to confluence

If you wanted to you could also add some alerting into the script, for example for certificates with less than 30 days to expiry:

daysToExpire=$(echo "${secondsToExpire} / 60 / 60 / 24" | bc)
if [ "${daysToExpire}" -lt "30" ]; then
 echo "Warning: SSL Certificate ${name} has ${daysToExpire} until expiry." | mail -s "SSL Certificate warning"

However in our case we are feeding the output file into our central monitoring and alerting system where the alerting is handled in a unified way.


  1. What is the “-d” option of your date command? It doesn’t work on either of my systems. The “-d” is for timezone on Mac OS and FreeBSD.

    1. date -d allows you to do simple date maths from a Linux shell, like:

      $ date -d "+10 days"
      Fri Nov 23 04:16:10 PST 2012
      $ date -d "-5 hours"
      Mon Nov 12 23:16:21 PST 2012
  2. And it also allows you to change the format of the date string, to another specified format, which is whats happening in my script above.

    The man page says “-d, –date=STRING
    display time described by STRING, not ‘now’”

  3. Super! Thank you. On my Mac, I had to change the format string as follows:

    epochExpirydate=$(date -j -f “%d %b %Y” “${expiry}” +%s)

  4. Hi,

    How to write the output of the script into confluence, im using google apps,is there any possibility were we can output into google site or google docs. Any help will be much appreciated.


  5. Hi,

    I wanted to check SSL expiry dates for all domains from the file certs_to_check.txt, i dont have some certificates, so i want to remove this cert=/usr/vchecker/working/${name}.cert line from script, i tried and modified the script but its not working. Any help will be much appreciated.

Got a comment? Don't be shy: