DBADEEDS

Actions Expresses Priorities

How to check & alert TLS/SSL certificate expiration date using shell script

Published by

DBADEEDS

on

Digital Certificates or Custom Certificates have become an essential part of Cyber Security and are widely used to verify the identity of clients and servers. All certificates contain an expiration date which most client and server applications will check before using the certificates contents. If a client or server application detects that a certificate has expired, one or more implementation specific actions (e.g., abort connection, check or update a revocation list, alert user, etc.) are typically performed.

During recent times I support numerous websites as part of my job where we have installed Custom Certificates on Oracle Enterprise Manager [OEM], Oracle Key Vault [OKV], IBM DataStage, Attunity Enterprise Manager & Attunity Replicate and we didn’t notice the certificates expiration date which impact applications so I am always looking for ways to boost up time and increase user satisfaction with these websites. Since an expired certificate would frustrate our users so I decided to develop basic shell script to check certificate expiration date and send out email or pager alert before 1-10,30,60,90 days. 

## Date       : 11/19/2020
## Version    : v1
## Author     : Sandeep R Narani
## Purpose    : To Check $appname Certificates expiration data and send out email for 30,60,90 days
## usage      : ./chkssl_expiredate.sh appname ipaddress or hostname port
## Example    : ./chkssl_expiredate.sh OKV 0.0.0.0 5696
#####################################################################################
#!/bin/bash
appname=${1}
_to="sandeep.narani"
CERT_DATE=$(openssl s_client -servername ${2} -connect ${2}:${3} 2>/dev/null | openssl x509 -enddate -noout | sed 's/notAfter\=//')
date_s=$(date -d "${CERT_DATE}" +%s)
#now_s=$(date -d now +%s)
# Testing for sake we are setting current date to matching certificate date range
now_s=$(date -d 'now + 990 days' +%s)
date_diff=$(( (date_s - now_s) / 86400 ))
_sub="$appname Certificate will expire within $date_diff days"
echo $_sub
if [[ "$date_diff" -le 9 ]]
then
mail -s "$_sub" "$_to" <<< "Fatal: The $appname - ${2} certificate will expired in $date_diff days"
elif [[ "$date_diff" -eq 10 ]]
then
mail -s "$_sub" "$_to" <<< "Critcal: The $appname - ${2} certificate will expire soon in $date_diff days"
elif [[ "$date_diff" -eq 15 ]]
then
mail -s "$_sub" "$_to" <<< "Critcal: The $appname - ${2} certificate will expire soon in $date_diff days"
elif [[ "$date_diff" -eq 20 ]]
then
mail -s "$_sub" "$_to" <<< "Critcal: The $appname - ${2} certificate will expire soon in $date_diff days"
elif [[ "$date_diff" -eq 30 ]]
then
mail -s "$_sub" "$_to" <<< "Critcal: The $appname - ${2} certificate will expire soon in $date_diff days"
elif [[ "$date_diff" -eq 60 ]]
then
mail -s "$_sub" "$_to" <<< "Warning: The $appname - ${2} certificate will expire soon in $date_diff days"
elif [[ "$date_diff" -eq 90 ]]
then
mail -s "$_sub" "$_to" <<< "Warning: The $appname - ${2} certificate will expire soon in $date_diff days"
fi
echo "Script Completed"

One response to “How to check & alert TLS/SSL certificate expiration date using shell script”

  1. yogigollapudi Avatar
    yogigollapudi

    do you have a script to check on windows servers for SQL server SSL certificates?

    Like

    Reply

Leave a reply to yogigollapudi Cancel reply

Previous Post
Next Post

Recent posts

Quote of the week

“I asked my database for a joke, but it returned a NULL value. Guess it doesn’t have a sense of humor.”

~ Gpt

DBADEEDS

About

A passionate baseball fan blog celebrating America’s favorite pastime.

Topics

Follow Us

Blog at WordPress.com.