Watching out for expiring SSL certificates

I guess that, like me, you will be using one or more SSL certificates to encrypt client/server communications.

I use self-signed certificates as well as several which I created at http://CAcert.org/ for encrypting traffic between me and my web server, my IMAP server, my SMTP server and more. Invariably these will eventually expire, because that is part of the blanket of security you apply to your services.

An expired server certificate should at least generate warnings when a client connects to it, some clients will even refuse to connect to an encrypted data stream using an expired certificate.

So, you’ll have to watch out for expiration of your certificates, and replace them with new ones before any of the client programs will be affected.

There is a one-liner command to show you when a SSL certificate (let’s call it “somecert.pem”) expires:

# openssl x509 -noout -in somecert.pem -enddate | cut -d= -f2-

The command returns something like:

Nov 29 12:20:12 2010 GMT 

I use this command in a cron job that checks all SSL certificates in the “/etc/ssl/certs/” directory of my Slackware server for imminent expiration and starts sending me daily emails one month in advance. This is the script’s content, I scheduled it to run every day:

#!/bin/bash
#---------------------------------------------------------------------
# Check SSL certificate expiry. Warn root via email.
# Eric Hameleers, 23may2005
#---------------------------------------------------------------------
CERTDIR="/etc/ssl/certs"
THE_DATE=$(date +%Y%m%d_%H%M)
WARNDAYS=31
#---------------------------------------------------------------------
TODAY=$(( $(date +%s)/86400 ))
for i in ${CERTDIR}/*.pem ; do
EXPDATE=$(openssl x509 -noout -in $i -enddate | cut -d= -f2-)
EXPDAY=$(( $(date -d "${EXPDATE}" +%s)/86400 ))
if [ $(($EXPDAY-$TODAY)) -le $WARNDAYS ] ; then
(cat <<EOT
!!! SSL CERTIFICATE EXPIRY !!!
==============================
The SSL Certificate '$i'
which is located in directory '${CERTDIR}'
will expire in less than $(($EXPDAY-$TODAY)) days!
NOTE:
You can check the contents of this certificate by running
'openssl x509 -text -noout -in $i'
==============================
Your Administrator.
EOT
) | mail -s "SSL Cert '$i' pending expiry on $(hostname)" root
fi
done

Hope it can be of use to some of you.

Eric

6 thoughts on “Watching out for expiring SSL certificates

  1. Oops, chopp in ##slackware pointed out the script was giving errors. Turned out I did a bad job of converting into $() .
    The post has been updated with a working version of the script.

    Eric


  2. root@darkstar:/etc# cat /etc/cron.daily/certwatch
    #!/bin/sh
    #
    # Will check all certificates stored in $CERTDIR for their expiration date,

    I think that it is already available


  3. Hahaha!

    You know, I have never seen that script before. I wrote the certificate checker for my Slackware 10.0 server, a long time ago, and as I am in the process of migrating to a new 13.1 server I am re-creating stuff to give me the functionality on 13.1 that I am used to have on 10.0.

    But I failed to consider the possibility that something like certwatch got added in the meantime.

    I guess I have never used SSL certificates on anything else than my old server, so the /etc/cron.daily/certwatch script never triggered on any of my Slackware desltop machines.

    Thanks for pointing it out Chris.

    Eric


  4. I like the new script because it works.
    And because it is small, easy to read and appropriate for Slackware.

    The old “certwatch” script does not work!
    It only searches for real files (find -type f ) and all of the PEM files are symbolic links… so it never even looks at them… (Edit the script and put a “set -x” near the top and then look at the output)

    What do you name your script? I call it “certalien”
    and it now sits happily in my /etc/cron.daily directory.


  5. Pingback: Cron warns me ca-certificates.crt is about to expire.

  6. Pingback: Slackware 14.0 RC4 - Page 13

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.