Forum Discussion

MickeyM_135861's avatar
MickeyM_135861
Icon for Nimbostratus rankNimbostratus
Feb 18, 2015

Check bundle certificate expiration date

Hi,

 

As many of you, I have to create a script to check the expiration date of our certificates (excepting the ones used for our webservers for which the CA send us an alarm). Using OpenSSL I can obtain this information for "normal" certificates, but when I try for bundles I can find a single expiration date, maybe the one for the root certificate. In GUI, it shows a range for expiration date (i.e. Apr 11, 2017 - Jan 28, 2028). How can I obtain the same value in CLI (or at least the lowest value)?

 

Thank a lot!

 

  • Hi MickeyM,

    here is a solution which is splitting the original bundle (stored in /var/tmp/ca-bundle.crt for the example) as well into multiple files and runs the openssl verification:
    awk '/-+BEGIN CERTIFICATE-+/,/-+END CERTIFICATE-+/ {print}' /var/tmp/ca-bundle.crt | \
    awk '/-+BEGIN CERTIFICATE-+/ {file="cafile_"++i;} {print > "/var/tmp/"file".tmp";}'
    
    for cert in /var/tmp/cafile_*.tmp; do openssl x509 -noout -subject -enddate -in $cert; done
    
    rm -f /var/tmp/cafile_*.tmp
    

    Temp files were stored as /var/tmp/cafile_.tmp and need to be deleted after test.

    Thanks, Stephan

    PS: Kudos go to the guys at "theunixschool" for some pretty helpful awk-examples.
  • Thanks a lot Michael for your answer.

     

    I have found also this site, but I thought that there is maybe a different (easier) solution. As we can see them easily in GUI, F5 is using (maybe) a different method?

     

    What we will try perhaps, is to implement this in an iControl API. I hope it will work well.

     

    I will update this thread with the result and maybe other details when we will implement it.

     

    Regards,

     

  • While it's not as simple as an openssl command, I did find this site that was of use in trying to do this. It requires creating and executing a perl script to splt the bundle and run openssl on each certificate in there.

    I modified the file to output only what was necessary (expiration dates). So basically, I just changed

    print 'echo "$thisfile" | openssl x509 -noout -text';
    to
    print 'echo "$thisfile" | openssl x509 -noout -subject -dates';

    Works pretty well for me.