1. Home
  2. Networking Firewalls
  3. Digital Certificate Expiration Utility

Digital Certificate Expiration Utility

Howdy,

Over the years, I have worked in numerous environments were an expired digital certificate led to system outages, and user confusion. I decided to write a tool to deal with this issue, and describe it's usage in this months (September) issue of SysAdmin. The utility can be run to produce certificate expiration info for a single ssl-enabled service, or given a file with a list of domains:

$ ./ssl-cert-check -s mail.daemons.net -p 443

Host Status Expires Days Left mail.daemons.net:443 Valid May 24 2005 282

$ cat ssldomains mail.daemons.net 443

formatting link
443

$ ./ssl-cert-check -b -f ssldomains

Host Status Expires Days Left mail.daemons.net:443 Valid May 24 2005 282

formatting link
Down ? ?

There is email integration to remind you electronically when certificates are about to expire, and a quiet mode to allow easy integration with cron. ssl-cert-check is licensed under the GPL, and can be downloaded at:

formatting link
Please let me know if you run into problems or bugs.

Thanks,

- Ryan

Reply to
Matty
Loading thread data ...

in article snipped-for-privacy@corp.supernews.com, HoTShoT at @ wrote on 8/15/04

9:58 AM:

It's not a matter of people being stupid, it's being proactive and knowing when your own certs expire, not relying on someone else to do your job. Maybe they'll send you an e-mail, maybe they won't. I'd prefer to control my own destiny rather then explain to management that our VPN and SSL sites are down because wah, Thawte never reminded me.

Reply to
ps

If people are too stupid to read the email from the issuer, how will that help? You already get warnings from the issuer of the cert.

Reply to
HoTShoT

The script wasn't developed to deal with ignorance, it was designed to help folks deal with certificate expiration issues. Public CA "notification" intervals aren't configurable, ssl-cert-check is.

Reply to
Matty

ps spilled the following:

Yeah, but there are so many other things which need to happen at specific times throughout the life of any sort of enterprise (DNS expiry, time to replace hard disks, renew passwords...), surely it's a better idea to have a proper diarying system which can address all of them than a program which only fixes one.

C.

Reply to
Colin McKinnon

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.