Digital Certificate Expiration Utility

[Matty]

Howdy,

Over the years, I have worked in numerous environments were an expired
digital certificate led to system outages, and user confusion. I decided
to write a tool to deal with this issue, and describe it's usage in this
months (September) issue of SysAdmin. The utility can be run to produce
certificate expiration info for a single ssl-enabled service, or given a
file with a list of domains:

$ ./ssl-cert-check -s mail.daemons.net -p 443

Host Status Expires Days Left
mail.daemons.net:443 Valid May 24 2005 282

$ cat ssldomains
mail.daemons.net 443
[url]www.blatch.com[/url] 443

$ ./ssl-cert-check -b -f ssldomains

Host Status Expires Days Left
mail.daemons.net:443 Valid May 24 2005 282
[url]www.blatch.com:443[/url] Down ? ?

There is email integration to remind you electronically when
certificates are about to expire, and a quiet mode to allow easy
integration with cron. ssl-cert-check is licensed under the GPL,
and can be downloaded at:

[url]http://www.daemons.net/~matty/code/ssl-cert-check[/url]

Please let me know if you run into problems or bugs.

Thanks,
- Ryan

[HoTShoT]

If people are too stupid to read the email from the issuer, how will that
help? You already get warnings from the issuer of the cert.

[ps]

in article [email]10hv5hpafblnpc7@corp.supernews.com[/email], HoTShoT at @ wrote on 8/15/04
9:58 AM:

> If people are too stupid to read the email from the issuer, how will that
> help? You already get warnings from the issuer of the cert.
>
>
>

It's not a matter of people being stupid, it's being proactive and knowing
when your own certs expire, not relying on someone else to do your job.
Maybe they'll send you an e-mail, maybe they won't. I'd prefer to control my
own destiny rather then explain to management that our VPN and SSL sites are
down because wah, Thawte never reminded me.

[Colin McKinnon]

ps spilled the following:

> in article [email]10hv5hpafblnpc7@corp.supernews.com[/email], HoTShoT at @ wrote on
> 8/15/04 9:58 AM:
>

>> If people are too stupid to read the email from the issuer, how will that
>> help? You already get warnings from the issuer of the cert.
>>

>
> It's not a matter of people being stupid, it's being proactive and knowing
> when your own certs expire, not relying on someone else to do your job.
> Maybe they'll send you an e-mail, maybe they won't. I'd prefer to control
> my own destiny rather then explain to management that our VPN and SSL
> sites are down because wah, Thawte never reminded me.

Yeah, but there are so many other things which need to happen at specific
times throughout the life of any sort of enterprise (DNS expiry, time to
replace hard disks, renew passwords...), surely it's a better idea to have
a proper diarying system which can address all of them than a program which
only fixes one.

C.

[Matty]

HoTShoT wrote:

> If people are too stupid to read the email from the issuer, how will that
> help? You already get warnings from the issuer of the cert.
>

The script wasn't developed to deal with ignorance, it was designed
to help folks deal with certificate expiration issues. Public CA
"notification" intervals aren't configurable, ssl-cert-check is.