On Mon, Jul 16, 2007 at 10:41:15AM -0500, Owen Crow wrote: > I've seen some tests mentioned in this list, but they point to broken links. > > It seems like this can be done with the openssl command line, but I > can only get certificate date information _after_ the certificate > expires. If anyone knows how to extract an SSL certificate's > expiration date remotely, I'd be happy to convert that into a monitor > script.
Yes, I've wanted to do this for a long time. You just inspired me to read the man pages and it looks pretty straightforward to use the openssl command line: # download the certificate: openssl s_client -connect server.example.com:443 < /dev/null > testme.pem # print out the expiration date: openssl x509 -noout -in testme.pem -enddate The output showing the expiration date looks like this: notAfter=Nov 3 18:58:34 1999 GMT Which should be easy to feed to Date::Parse::str2time() to turn into a ctime. > I'm primarily interested in HTTPS, but it seems like this would be > generic for any SSL/TLS-protected service. The openssl command line man page says it also supports SMTP and POP protocol for downloading certificates: openssl s_client -connect mail.example.com:25 -starttls smtp < /dev/null > testme.pem Or "-starttls pop3" for a POP server. No IMAP support, unfortunately. Here's a possible starting point: sslcert.monitor [--protocol {https|smtp|pop3}] [--port NNN] [--expirewarn NN] host [...] Where the port number defaults to 443, and expirewarn defaults to 30 days (i.e. alarm if the server's certificate expiration date is within 30 days). Later on we could add bells and whistles to check the verification chain, warn on self-signed certs, If you start the script I'll help you finish it. I suggest writing it in Perl since I know it'll have no problem parsing the expiration date output. _______________________________________________ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon