Thursday, May 20, 2010

SSL Certificates from the Command-Line

If you've ever wondered how to easily inspect a certificate from the command line, look no further than openssl.

openssl s_client -connect hostname:port

If you ever need to look up several hosts at once and want to report the ones which will expire before a given date, try this script:

hostFile="/tmp/ssl_hostnames"
thresholdDate="June 30, 2010"
(for hostAndPort in $(< $hostFile )
do
  dateStr="\
               $(date -d "\
                              $(echo blah |\
                                 openssl s_client -connect $hostAndPort 2> /dev/null |\
                                 sed "1,/Server certificate/ {d}; /subject/,$ {d;};"|\
                                 openssl x509 -text 2> /dev/null|\
                                 grep "Not After"|\
                                 sed "s/.* : //"\
                                )"\
                  )"
  if (( $( date -d "$dateStr" +%s ) <= $( date -d "$thresholdDate" +%s ) ))
  then
    echo ${hostAndPort%:*}\|$dateStr
  fi
done)| column -s "|" -t

Right now, there's not much error checking in this script. And, I'm not doing any TLS stuff. The hostFile just contains host:port pairs, one host per line.

No comments:

Post a Comment