SSL Certificate Report

Problem this snippet solves:

This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes.

Code :

cli script certificatereport.tcl {
proc script::run {} {
        # Iterate through certs in files
        set hostname [exec {/bin/hostname}]
        set reportdate [exec {/bin/date}]

        puts "---------------------------------------------------------------------"
        puts "Certificate report for BIG-IP $hostname "
        puts "Report Date: $reportdate"
        puts "---------------------------------------------------------------------"
        puts "\n\n"

        set certcount 0
        set certproblems 0
        set certwarnings 0

        foreach file [glob -directory /config/ssl/ssl.crt/ *.crt] {
          incr certcount
          # Get Certificate Subject
          set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
          set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
          set stop  [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
          # Clean up bad X509 date fields removing multiple spaces before tokenizing them
          regsub -all -- {[[:space:]]+} $start " " start
          regsub -all -- {[[:space:]]+} $stop " " stop
          set startparts [split $start]
          set stopparts [split $stop]
          set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
          set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
          # Date Math
          if { $activatedseconds > 0 } {
              puts "File: $file"
              puts "\tCN: $cn certificate"
              puts "\tError: certificate is not valid yet.  It will be valid on $start."
              puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
              puts "---------------------------------------------------------------------"
              incr certproblems
          } elseif { $expiredseconds > 0 } {
              puts "File: $file"
              puts "\tCN: $cn certificate"
              puts "\tError: is not valid because it expired on $stop."
              puts "\tExpired: [expr {$expiredseconds / 86400}] days ago."
              puts "---------------------------------------------------------------------"
              incr certproblems
         } elseif { [expr {$expiredseconds * -1}] < 2629743 } {
              # All certs that will expire within this month
              puts "File: $file"
              puts "\tCN: $cn certificate"
              puts "\tError: is not valid because it expired on $stop."
              puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days."
              puts "---------------------------------------------------------------------"
              incr certwarnings
          }
        }
        puts "\n"
        puts "$certcount Certificates Found"
        puts "$certproblems Certificate Errors Found"
        puts "$certwarnings Certificate Warnings Found"
   }
}
Published Mar 10, 2015
Version 1.0
  • In addition to above comment-

     

    I am able to save the output to /var/tmp/cert-output.txt

    But i need to execute the script automatically every month and get the report through an email. How can we achieve this?

  • Hi All,

     

    I need help to configure cron job to run below two commands on hourly basis. Could you please help me with the steps:

     

    tmsh run cli script certificatereports.tcl > /var/tmp/cert-outputs.txt

    echo "Message Body Here" | mailx -s "Subject Here" -a cert-outputs.txt name@domain.com

  • Hi Sumit,

     

    Apologies on the late reply, Good to know that you already have smtp set.

    The next easy step is to put a small script with any mail agent (sendmail or mail or mailx) and have that script run on cron for every month.

     

    Goto /var/tmp/ and create a file as automatecertificatereports.sh.

    Add the below code inside the automatecertificatereports.sh file.

    #!/bin/sh
    tmsh run cli script certificatereports.tcl > /var/tmp/cert-outputs.txt
     
    from="abc@domain.com"
    to="abc@domain.com,pqr@domain.com,xyz@domain.com"
    subject="Automated SSL Certificate Report"
     
    mail -s "$subject" -r "$from" -a "/var/tmp/cert-outputs.txt" "$to" << EOF
    Hi Team,
     
    Please find the attached SSL Certificate Report.
     
    Thanks & Regards,
    abc@domain.com
     
    EOF

    Change the permission to executable one.

    chmod +x automatecertificatereports.sh

    Now goto your crontab & do a list first to see the existing cron jobs running.

     

    crontab -l

    You should see some couple of disk monitors check etc etc.

     

    Always put some good comments before you make an entry of your cronjob, Use crontab -e to edit/add your entries.

    crontab -e

    Goto the of the section and the below 2 lines,

     

    ## Section for Automated SSL Certificate Report - Monthly Cron - Start of month - 6 O'clk ##
    0 6 1 * * /usr/bin/bash /var/tmp/automatecertificatereports.sh

    You can edit this cron value according to your need. For testing, try running this for every day 1 AM report - 0 1 * * *

    Hope this helps. Let us know if you have more concerns.