I guess that, like me, you will be using one or more SSL certificates to encrypt client/server communications.

I use self-signed certificates as well as several which I created at http://CAcert.org/ for encrypting traffic between me and my web server, my IMAP server, my SMTP server and more. Invariably these will eventually expire, because that is part of the blanket of security you apply to your services.

An expired server certificate should at least generate warnings when a client connects to it, some clients will even refuse to connect to an encrypted data stream using an expired certificate.

So, you’ll have to watch out for expiration of your certificates, and replace them with new ones before any of the client programs will be affected.

There is a one-liner command to show you when a SSL certificate (let’s call it “somecert.pem”) expires:

?# openssl x509 -noout -in somecert.pem -enddate | cut -d= -f2-
?
The command returns something like:

Nov 29 12:20:12 2010 GMT 

I use this command in a cron job that checks all SSL certificates in the “/etc/ssl/certs/” directory of my Slackware server for imminent expiration and starts sending me daily emails one month in advance. This is the script’s content, I scheduled it to run every day:

#!/bin/bash
#---------------------------------------------------------------------
# Check SSL certificate expiry. Warn root via email.
# Eric Hameleers, 23may2005
#---------------------------------------------------------------------
CERTDIR="/etc/ssl/certs"
THE_DATE=$(date +%Y%m%d_%H%M)
WARNDAYS=31
#---------------------------------------------------------------------
TODAY=$(( $(date +%s)/86400 ))
for i in ${CERTDIR}/*.pem ; do
EXPDATE=$(openssl x509 -noout -in $i -enddate | cut -d= -f2-)
EXPDAY=$(( $(date -d "${EXPDATE}" +%s)/86400 ))
if [ $(($EXPDAY-$TODAY)) -le $WARNDAYS ] ; then
(cat <<EOT
!!! SSL CERTIFICATE EXPIRY !!!
==============================
The SSL Certificate '$i'
which is located in directory '${CERTDIR}'
will expire in less than $(($EXPDAY-$TODAY)) days!
NOTE:
You can check the contents of this certificate by running
'openssl x509 -text -noout -in $i'
==============================
Your Administrator.
EOT
) | mail -s "SSL Cert '$i' pending expiry on $(hostname)" root
fi
done

Hope it can be of use to some of you.

Eric