Written by How to Avoid the SSL Expiration Apocalypse
You’re minding your own business, sipping coffee, feeling invincible—when BAM! The website goes down. The boss storms in like an angry bear who just lost Wi-Fi. The culprit? An expired SSL certificate. Congratulations, you’ve just unlocked the IT version of public humiliation.
But fear not! The ssl-cert-expiration-date-check script is here to save you from a life of shame and awkward team meetings. Think of it as the superhero you never knew you needed, armed with OpenSSL and a knack for keeping your certificates alive and kicking.
What’s This?
SSL monitoring via bash shell. Here’s how it works:
- It reads a list of FQDNs or IPs (fancy IT speak for “things you probably Googled how to find”) from a file named
fqdn_list.txt. - It interrogates your endpoints like a bad cop in a detective movie, using OpenSSL binary to spill the beans on their SSL certificates.
- It then writes the juicy details into
certs_info.csv—because nothing says “I’m a professional” like a CSV file with MS Excel.
Boom. You now know when your certificates will expire. No more flying blind. No more angry bosses. No more soul-crushing outages.
Why Should You Care?
Let me paint you a picture: An expired SSL certificate means users see a terrifying “This site is NOT secure” warning. It’s basically the internet screaming, “Run away!” Your customers? Gone. Your reputation? Sinking faster than your confidence in this job.
But this script? It’s the anti-drama. It supports everything: HTTPS, LDAPS, JDBC/S, and even those obscure protocols no one dares to ask about. It logs every certificate—server, intermediate, maybe even root CA certificates if they’re feeling generous. It’s like an all-you-can-eat buffet of SSL info.
Did You Know?
- Some certificates, like rebellious teenagers, don’t come pre-installed in your keystore. You’ve got to manually invite them to the party.
- On Windows, this means opening
certlm.msc(don’t worry, it’s not as scary as it sounds). - If you’re in Java Land, you’ll need to charm the
keytoolutility. It’s like convincing a cat to sit still—it’s tricky, but doable.
How to Become an SSL Wizard
- Step 1: Open a text editor and create
fqdn_list.txt. Add all your endpoints and ports, one per line. It’s like making a party guest list, but with less glitter. - Step 2: Run the script. Sit back. Look cool.
- Step 3: Open the
certs_info.csvfile. Admire your work. Maybe print it out and frame it for the office wall.
The Moral of the Story
Neglect your SSL certificates, and the internet will publicly shame you. But with the ssl-cert-expiration-date-check script, you’ll avoid the chaos, the browser warnings, and the boss’s death stare.
So, download this script, save yourself, and become the hero your IT department deserves. Because nothing says “I’ve got this” like preventing a preventable disaster. Now, go forth and conquer the world of SSL certificates—preferably before your coffee gets cold.
The Location
https://github.com/anapartner-com/ssl-cert-expiration-date-check
View the Readme, play with the scripts, provide feedback. Integrate this process with your SaaS monitoring solutions, e.g. Syslog (with Splunk), Broadcom DX02 (APM), Grafana, Dynatrace, etc. Or use remote ssh to execute the process to secure internal network segments to query those certs as well.
The Magic of openssl binary
openssl s_client -connect "$FQDN:$PORT" -showcerts 2>/dev/null > "temp_output.txt"
EXPIRATION_DATE=$(openssl x509 -enddate -noout -in "$CERT_FILE" 2>/dev/null | cut -d= -f2)
SUBJECT_NAME=$(openssl x509 -subject -noout -in "$CERT_FILE" 2>/dev/null | sed 's/subject= //')
SERIAL_NUMBER=$(openssl x509 -serial -noout -in "$CERT_FILE" 2>/dev/null | cut -d= -f2)We use the openssl s_client process to connect and return all possible certs from the endpoints’ IP or FQDN with its port and save this information to a temporary file for us to review for the metadata.
We obviously want “enddate”, to find the expiration date of the certificates. But we also want both the “subject (aka CN)” and “serial” of the certificates to avoid the all-too-common challenge during rotation of certificates where we have the SAME name (subject/CN) for the same root ca cert. This is a very annoying challenge and will add unnecessary effort during RCA (root-cause-analysis) efforts to identify the full certificate chain. The “serial” number will help us avoid this confusion.