You can easily monitor the live SSL certificate expiration with openssl commands.I will attach the script , the script will read the URLs from a text file and check for the certificate expiration. If the certificate is expiring in 30 days , it can send an email communication to the people needed. You can schedule a cron to run the job everyday.
Here is the script.
#!/bin/ksh
##
# ssl-cert-expiration-checker.sh
#
# Checks SSL certificate expiration dates. Sends a notification email if
# certificate expiration dates are sooner than the configured threshold.
#
# Expects a file named “certificate_cn_list.txt” to be located in the same
# directory as the script; this file should contain a list of hostnames whose
# SSL certificates should be checked (one per line). The name of this file
# can be changed by changing the value of variable CN_LIST_FILENAME.
#
# Original author: Sreekar
##
umask 077
MAIL_SUBJECT=”SSL certificate expiration warning”
MAIL_TO=”mail@mail.com”
CN_LIST_FILENAME=”certificate_cn_list.txt”
date2julian()
{
if [ “${1} != “” ] && [ “${2} != “” ] && [ “${3}” != “” ]
then
## Since leap years add aday at the end of February,
## calculations are done from 1 March 0000 (a fictional year)
d2j_tmpmonth=$((12 * ${3} + ${1} – 3))
## If it is not yet March, the year is changed to the previous year
d2j_tmpyear=$(( ${d2j_tmpmonth} / 12))
echo $(( (734 * ${d2j_tmpmonth} + 15) / 24 – 2 * ${d2j_tmpyear} + ${d2j_tmpyear}/4 – ${d2j_tmpyear}/100 + ${d2j_tmpyear}/400 + $2 + 1721119 ))
else
echo 0
fi
}
getmonth()
{
case ${1} in
Jan) echo 1 ;;
Feb) echo 2 ;;
Mar) echo 3 ;;
Apr) echo 4 ;;
May) echo 5 ;;
Jun) echo 6 ;;
Jul) echo 7 ;;
Aug) echo 8 ;;
Sep) echo 9 ;;
Oct) echo 10 ;;
Nov) echo 11 ;;
Dec) echo 12 ;;
*) echo 0 ;;
esac
}
date_diff()
{
if [ “${1}” != “” ] && [ “${2}” != “” ]
then
echo $((${2} – ${1}))
else
echo 0
fi
}
### Baseline the dates so we have something to compare to
MONTH=$(date “+%m”)
DAY=$(date “+%d”)
YEAR=$(date “+%Y”)
NOWJULIAN=$(date2julian ${MONTH#0} ${DAY#0} ${YEAR})
WARNDAYS=30
while read APPLICATION_URL
do
CERTDATE=`openssl s_client -host $APPLICATION_URL -port 443 -showcerts </dev/null 2>/dev/null | sed -n ‘/BEGIN CERTIFICATE/,/END CERT/p’ | openssl x509 -text 2>/dev/null | sed -n ‘s/ *Not After : *//p’`
set — $CERTDATE
MONTH=$(getmonth ${1})
CERTJULIAN=$(date2julian ${MONTH#0} ${2#0} ${4})
CERTDIFF=$(date_diff ${NOWJULIAN} ${CERTJULIAN})
echo “*************************************”
echo “SSL certificate for ${APPLICATION_URL} expires in $CERTDIFF days”
if [ $CERTDIFF -lt $WARNDAYS ]
then
echo “SSL certificate for ${APPLICATION_URL} expires in $CERTDIFF days” >> body.txt
echo >> body.txt
echo “Certificate expires sooner than warning threshold (${WARNDAYS} days)”
fi
done < “${CN_LIST_FILENAME}”
echo “*************************************”
mailx -s “${MAIL_SUBJECT}” “${MAIL_TO}” < body.txt
rm body.txt
Sreekar's Blog 