script to check if SSL certificate is valid
Solution 1
Your command would now expect a http request such as GET index.php
for example. Use this instead:
if true | openssl s_client -connect www.google.com:443 2>/dev/null | \
openssl x509 -noout -checkend 0; then
echo "Certificate is not expired"
else
echo "Certificate is expired"
fi
-
true
: will just give no input followed by eof, so that openssl exits after connecting.-
openssl ...
: the command from your question -
2>/dev/null
: error output will be ignored.
-
-
openssl x509
: activates X.509 Certificate Data Management.- This will read from standard input defaultly
-
-noout
: Suppresses the whole certificate output -
-checkend 0
: check if the certificate is expired in the next 0 seconds
Solution 2
It does get you the certificate, but it doesn't decode it. Since that would be needed if you want the date, you don't see it. So what's needed is that you pipe it into OpenSSL's x509
application to decode the certificate:
openssl s_client -connect www.example.com:443 \
-servername www.example.com </dev/null |\
openssl x509 -in /dev/stdin -noout -text
This will give you the full decoded certificate on stdout, including its validity dates.
Solution 3
If you need to check expiry date, thanks to this blog post, found a way to find this information with other relevant information with a single call:
echo | openssl s_client -servername unix.stackexchange.com -connect unix.stackexchange.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
The output includes issuer, subject (to whom the certificate is issued), date of issued and finally date of expiry:
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
subject= /C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com
notBefore=May 21 00:00:00 2016 GMT
notAfter=Aug 14 12:00:00 2019 GMT
Related videos on Youtube
Tam Borine
Updated on September 18, 2022Comments
-
Tam Borine over 1 year
I have several SSL certificates, and I would like to be notified, when a certificate has expired.
My idea is to create a cronjob, which executes a simple command every day.
I know that the
openssl
command in Linux can be used to display the certificate info of remote server, i.e.:openssl s_client -connect www.google.com:443
But I don't see the expiration date in this output. Also, I have to terminate this command with CTRL+c.
How can I check the expiration of a remote certificate from a script (preferably using
openssl
) and do it in "batch mode" so that it runs automatically without user interaction?-
Admin over 8 yearsI would recommend to also send the servername with
-servername www.google.com
for SNI enabled servers To avoid the need for termination send /dev/null to it< /dev/null
-
Admin over 8 yearsIf your running Red Hat/CentOS/Fedora, have a look at certmonger. It's also available from the standard repositories.
-
Admin over 8 yearsI would add the certificate check in a monitoring tool like nagios or icinga.
-
-
Auspex over 4 years
-checkend
so much easier than the script I'd found that was doing date arithmetic! -
chaos over 2 years@MaXi32 No, the solution IS portable, it's not dependent on any index.php file. This was just an example.
-
MaXi32 over 2 yearsI replied to the wrong thread I thought this is about using curl or wget