current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Sign up ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It's 100% free, no registration required.
up vote 6 down vote favorite

I have several SSL certificates, and I would like to be notified, when a certificate has expired.

My idea is to create a cronjob, which executes a simple command every day.

I know that the openssl command in Linux can be used to display the certificate info of remote server, i.e.:

openssl s_client -connect www.google.com:443

But I don't see the expiration date in this output. Also, I have to terminate this command with CTRL+c.

How can I check the expiration of a remote certificate from a script (preferably using openssl) and do it in "batch mode" so that it runs automatically without user interaction?

share|improve this question
4  
I would recommend to also send the servername with -servername www.google.com for SNI enabled servers To avoid the need for termination send /dev/null to it < /dev/null –  syss 23 hours ago
    
If your running Red Hat/CentOS/Fedora, have a look at certmonger. It's also available from the standard repositories. –  JRFerguson 22 hours ago

2 Answers 2

up vote 5 down vote

Your command would now expect a http request such as GET index.php for example. Use this instead:

if true | openssl s_client -connect www.google.com:443 2>/dev/null | \
  openssl x509 -noout -checkend 0; then
  echo "Certificate is not expired"
else
  echo "Certificate is expired"
fi
  • true: will just give no input followed by eof, so that openssl exits after connecting.
    • openssl ...: the command from your question
    • 2>/dev/null: error output will be ignored.
  • openssl x509: activates X.509 Certificate Data Management.
    • This will read from standard input defaultly
    • -noout: Suppresses the whole certificate output
    • -checkend 0: check if the certificate is expired in the next 0 seconds
share|improve this answer
up vote 4 down vote

It does get you the certificate, but it doesn't decode it. Since that would be needed if you want the date, you don't see it. So what's needed is that you pipe it into OpenSSL's x509 application to decode the certificate:

openssl s_client -connect www.example.com:443 \
    -servername www.example.com </dev/null |\
    openssl x509 -in /dev/stdin -noout -text

This will give you the full decoded certificate on stdout, including its validity dates.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.