Monday 23 July 2018

Shell script to check SSL certificate info like expiration date and subject

Shell script to check SSL certificate info like expiration date and subject
Remembering the correct openssl syntax for fetching certificate from a remote host or parsing a local certificate file for useful information is a chore, so I finally took my notes and combined into an easy to use shell script.
The script is mostly useful for not having to remember cryptic syntax, but in some cases will also parse and present information in a more readable format than the default openssl output.
It's also easy to add parsing and formatting as needed.
For example, to get certificate expiration date from a remote host, you would normally have to remember a command like:
$ echo | openssl s_client -connect gmail.com:443 2>/dev/null | openssl x509 -noout -enddate
And for your trouble, would be rewarded with output like this:
notAfter=Jun 10 00:00:00 2014 GMT
With my little script, you'd only have to type:
$ ssl-cert-info --host gmail.com --end
And get back output in your own timezone:
2014-06-09 17:00:00 PDT
However, if you really want to see raw output from openssl, you could pass any openssl option through to it like so (the option passed through in this case is '-dates'):
$ ssl-cert-info --host gmail.com --option -dates
And get back output like this:
notBefore=Mar 12 09:48:29 2014 GMT
notAfter=Jun 10 00:00:00 2014 GMT
Though I find the following much easier to understand:
$ ssl-cert-info --host gmail.com --dates

valid from: 2014-03-12 02:48:29 PDT
valid till: 2014-06-09 17:00:00 PDT
And here's the script:
#!/bin/bash

usage()
{
cat <&2
            echo "see --help for usage"
            exit 1
                  ;;
  esac
  shift
done

CheckLocalCert()
{ 
  openssl x509 -in $crt -noout $opt
}

CheckRemoteCert()
{
  echo |
  openssl s_client $servername -connect $host:$port 2>/dev/null |
  openssl x509 -noout $opt
}

if [ -z "$(type -t FormatOutput)" ]; then
  FormatOutput() { cat; }
fi

if [ -z "$opt" ]; then
  opt="-text -certopt no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump,no_aux"
fi

if [ -z "$source" ]; then
  echo "ERROR: missing certificate source."
  echo "Provide one via '--file' or '--host' arguments."
  echo "See '--help' for examples." 
  exit 1
fi

if [ "$source" == "local" ]; then
  [ -n "$DEBUG" ] && echo "DEBUG: certificate source is local file"
  if [ -z "$crt" ]; then
    echo "ERROR: missing certificate file"
    exit 1
  fi
  [ -n "$DEBUG" ] && echo
  CheckLocalCert | FormatOutput
fi

if [ "$source" == "remote" ]; then
  [ -n "$DEBUG" ] && echo "DEBUG: certificate source is remote host"
  if [ -z "$host" ]; then
    echo "ERROR: missing remote host value."
    echo "Provide one via '--host' argument"
    exit 1
  fi
  if [ -z "$port" ]; then
    [ -n "$DEBUG" ] && echo "DEBUG: defaulting to 443 for port."
    port="443"
  fi
  [ -n "$DEBUG" ] && echo
  CheckRemoteCert | FormatOutput
fi

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)