This script will let you programmatically get a certificate start date, number of days remaining, and certificate hash, suitable for example for automated checking for expired or changed certificates, as with Zabbix:
#!/bin/bash
function printHelpTextd
{
echo
echo "######################################################################"
echo "# #"
echo "# This script takes these parameters, in this order: #"
echo "# 1. check type, one of: certstartdate, certdaysleft, or certhash. #"
echo "# 2. Host connection target (IP address or host name (fqdn)). #"
echo "# 3. TCP port number to connect to. #"
echo "# #"
echo "# This script returns, depending on the check type, one of: #"
echo "# - certstartdate: a text string of the cert start date #"
echo "# - certdaysleft: an integer of the number of days until the cert #"
echo "# expiration; if the cert has expired, then a negative number. #"
echo "# - certhash: a hash of the cert, useful for detecting changes. #"
echo "# #"
echo "######################################################################"
echo
}
ERR_BADNUMPARAMS=1
ERR_BADCHECKTYPE=2
# Function getCertStartDate
# parameters (ordered)
# * Host connection target (IP address or host name (fqdn)).
# * TCP port number to connect to.
# returns a text string of the certificate start date.
function getCertStartDate
{
host=$1
port=$2
startdate=`echo quit | openssl s_client -host $host -port $port 2>/dev/null | awk '/BEGIN/{s=x}{s=s$0"\n"}/END CERTIFICATE-----/{print s}' 2>/dev/null | openssl x509 -noout -dates 2>/dev/null | head -n 1 | cut -d "=" -f 2- | awk -F " " '{ print $1" "$2" "$4" "$3" "$5 }'`
echo $startdate
}
# Function getCertDaysLeft
# parameters (ordered)
# * Host connection target (IP address or host name (fqdn)).
# * TCP port number to connect to.
# returns a number of days remaining
function getCertDaysLeft
{
host=$1
port=$2
enddate=`echo quit | openssl s_client -host $host -port $port 2>/dev/null | awk '/BEGIN/{s=x}{s=s$0"\n"}/END CERTIFICATE-----/{print s}' | openssl x509 -noout -dates 2>/dev/null | tail -n 1 | cut -d "=" -f 2-`
formattedenddate=`echo $enddate | awk -F " " '{ print $1" "$2" "$4" "$3" "$5 }'`
enddateseconds=`date -d "$formattedenddate" +%s`
# expiration date minus todays date = the number of days left (in seconds)
secondsleft=$(expr $enddateseconds - $(date +%s))
daysleft=$(expr $secondsleft / 86400)
echo $daysleft
}
# Function getCertHash
# parameters (ordered)
# * Host connection target (IP address or host name (fqdn)).
# * TCP port number to connect to.
# returns the hash of the cert, as a string
function getCertHash
{
host=$1
port=$2
hash=`echo quit | openssl s_client -host $host -port $port 2>/dev/null | awk '/BEGIN/{s=x}{s=s$0"\n"}/END CERTIFICATE-----/{print s}' | openssl x509 -noout -hash 2>/dev/null`
echo $hash
}
if [ "$#" -ne 3 ]; then
{
echo "ERROR: Illegal number of parameters."
printHelpText
exit $ERR_BADNUMPARAMS
}; else
{
Operation=$1
TargetHost=$2
TargetPort=$3
case $Operation in
certstartdate)
getCertStartDate $TargetHost $TargetPort
;;
certdaysleft)
getCertDaysLeft $TargetHost $TargetPort
;;
certhash)
getCertHash $TargetHost $TargetPort
;;
*)
{
echo "ERROR: Bad check type."
printHelpText
exit $ERR_BADCHECKTYPE
}
;;
esac
}; fi
No comments:
Post a Comment