RE: can I obtain certificate expiry dates using openssl?

Dicks, Gareth M Wed, 07 Feb 2001 01:35:39 -0800
Hi Greg,

Many thanks, you seem to have a good handle on this and have explained well.
I'll give this a whirl but watch your inbox for more help!!

Regards,
Gareth

-----Original Message-----
From: Greg Stark [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 06, 2001 7:25 PM
To: Dicks, Gareth M; [EMAIL PROTECTED]
Subject: Re: can I obtain certificate expiry dates using openssl?


Yes, openssl can help here. When you build the openssl package a number of
useful utilities are also built along with the libraries. One of these is
called openssl. If cert.pem is a certificate in PEM format, then

openssl x509 -in cert.pem -dates -noout

will give you two dates, the second of which you are interested in. For
example,

openssl x509 -in thawte_server.cer -dates -noout
notBefore=Aug  1 00:00:00 1996 GMT
notAfter=Dec 31 23:59:59 2020 GMT

A more interesting  x509 option is the -checkend option, which sounds like
exactly what you are looking for. It answer the question "Does this
certificate expire within the next s seconds?",  and returns 1 if it does
expire, or otherwise.

so maybe something like (i forget how to do arithmetic in shells these days)

secs=days*24*3600
if openssl x509 -in cert.pem -checkend ${secs} -noout; then
    echo "It will son expire"
else
   echo "plenty of time"
fi

_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________



----- Original Message -----
From: "Dicks, Gareth M" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Dicks, Gareth M"
<[EMAIL PROTECTED]>
Sent: Tuesday, February 06, 2001 1:26 PM
Subject: can I obtain certificate expiry dates using openssl?


> Hi,
>
> I'm after some advice and tips please!
>
> I want to write a simple script (ksh?) that interrogates the SSL
> certificates on our Web servers (NES 3.6) and automatically alerts via
> unicentre when the certificates are close to expiring.
>
> I've been told that openssl can provide the tools to obtain the date info
> from the cert.. Can anyone offer any help on how to do this?
>
> Some details that may prove useful
>
> * O/S - Solaris 2.6
> * Netscape Enterprise Server 3.6
> * Certs issued by VeriSign
> * openssl 0.9.6 installed
>
> Many thanks
> Gareth
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: can I obtain certificate expiry dates using openssl?

Reply via email to
