Shell script to check SSL certificate info like expiration date and subject
Remembering the correct openssl syntax for fetching certificate from a remote host or parsing a local certificate file for useful information is a chore, so I finally took my notes and combined into an easy to use shell script.
The script is mostly useful for not having to remember cryptic syntax, but in some cases will also parse and present information in a more readable format than the default openssl output.
It's also easy to add parsing and formatting as needed.
For example, to get certificate expiration date from a remote host, you would normally have to remember a command like:
$ echo | openssl s_client -connect gmail.com:443 2>/dev/null | openssl x509 -noout -enddate
And for your trouble, would be rewarded with output like this:
notAfter=Jun 10 00:00:00 2014 GMT
With my little script, you'd only have to type:
$ ssl-cert-info --host gmail.com --end
And get back output in your own timezone:
2014-06-09 17:00:00 PDT
However, if you really want to see raw output from openssl, you could pass any openssl option through to it like so (the option passed through in this case is '-dates'):
$ ssl-cert-info --host gmail.com --option -dates
And get back output like this:
notBefore=Mar 12 09:48:29 2014 GMT
notAfter=Jun 10 00:00:00 2014 GMT
Though I find the following much easier to understand:
$ ssl-cert-info --host gmail.com --dates
valid from: 2014-03-12 02:48:29 PDT
valid till: 2014-06-09 17:00:00 PDT
And here's the script:
#!/bin/bash
usage()
{
cat <&2
echo "see --help for usage"
exit 1
;;
esac
shift
done
CheckLocalCert()
{
openssl x509 -in $crt -noout $opt
}
CheckRemoteCert()
{
echo |
openssl s_client $servername -connect $host:$port 2>/dev/null |
openssl x509 -noout $opt
}
if [ -z "$(type -t FormatOutput)" ]; then
FormatOutput() { cat; }
fi
if [ -z "$opt" ]; then
opt="-text -certopt no_header,no_version,no_serial,no_signame,no_pubkey,no_sigdump,no_aux"
fi
if [ -z "$source" ]; then
echo "ERROR: missing certificate source."
echo "Provide one via '--file' or '--host' arguments."
echo "See '--help' for examples."
exit 1
fi
if [ "$source" == "local" ]; then
[ -n "$DEBUG" ] && echo "DEBUG: certificate source is local file"
if [ -z "$crt" ]; then
echo "ERROR: missing certificate file"
exit 1
fi
[ -n "$DEBUG" ] && echo
CheckLocalCert | FormatOutput
fi
if [ "$source" == "remote" ]; then
[ -n "$DEBUG" ] && echo "DEBUG: certificate source is remote host"
if [ -z "$host" ]; then
echo "ERROR: missing remote host value."
echo "Provide one via '--host' argument"
exit 1
fi
if [ -z "$port" ]; then
[ -n "$DEBUG" ] && echo "DEBUG: defaulting to 443 for port."
port="443"
fi
[ -n "$DEBUG" ] && echo
CheckRemoteCert | FormatOutput
fi
0 comments:
Post a Comment