Have you ever walked in to work one morning to have people jump on you stating nothing is working? You never got any pages from your monitoring system. Everything appears to still be up. Come to find out one of your self sign SSL certificates expired and needs updating. Well, it has happened to some of the Windows Admins I have worked with. It is difficult to track and manage self signed certificates. Even if you have a good handle on it, and have automated reminders about certificates that will expire, it can slip by. I came across a utility (script) called "ssl-cert-check.bash" found here:
http://prefetch.net/articles/checkcertificate.html And, this does almost exactly what I want. This will show you and even e-mail you if you have any servers with expired certificates. I wanted to take it one simple step further... I want a report e-mailed to my department regarding the status of all certificated whether they expired or not. So here is what I did. On a linux server I put the "ssl_cert-check.bash" file in my utility user's home "bin" directory. I then created a file called ssldomains.txt (following the format described in the link above) containing the list of servers that have ssl certificates. I then created a file called "cert_report.bash" in the same bin directory. It's contents looks like this:
-----------------------------------------
#!/bin/bash
#
# SCRIPT: cert_report.bash
# AUTHOR: Bob
# DATE: Sep 24, 2012
# REV: 1.1.P (Valid are A, B, D, T, Q, and P)
# (For Alpha, Beta, Dev, Test, QA, and Production)
#
# PLATFORM: Not platform dependent
#
# PURPOSE: This script will call another script to report SSL Cert
# expiration days, save to a text file, and e-mail that text
# file.
#
# set -n # Uncomment to check script syntax, without execution.
# # NOTE: Do not forget to put the # comment back in or
# # the shell script will never execute!
# set -x # Uncomment to debug this shell script
#
##########################################################
# DEFINE FILES AND VARIABLES HERE
##########################################################
THIS_SCRIPT=$(basename
)
##########################################################
# DEFINE FUNCTIONS HERE
##########################################################
##########################################################
# BEGINNING OF MAIN
##########################################################
~/bin/ssl_cert_check.bash -f ~/bin/ssldomains.txt > /tmp/SSL_Cert_Report.txt
echo "Attached is the bi-monthly SSL Certificate Expiration Report." | mutt -s "SSL Cert Check Report" -a /tmp/SSL_Cert_Report.txt mydepartment@mydomain.com
# End of script
----------------------------------------------
I then added an entry in cron for this to run twice a month.
0 8 1,15 * * ~/bin/cert_report.bash
This delivers a nicely formatted report of my servers and their certificate status. Here is an example of the e-mailed report.
Host Status Expires Days
------------------------------------------- ------------ ------------ ----
appsrv.mydomain.com:443 Valid Jul 7 2014 643
lync1001.mydomain.com:443 Valid Feb 13 2013 134
monitor01.mydomain.com:443 Valid Feb 13 2013 134
idm.mydomain.com:443 Valid Oct 14 2021 3299
mail.mydomain.com:443 Valid Jul 10 2014 646
ntsrv1.mydomain.net:3471 Valid Aug 30 2013 332
ops1003.mydomain.net:3471 Valid Feb 13 2013 134
web1003.mydomain.net:4443 Valid Oct 14 2021 3299
web1004.mydomain.net:4443 Valid Oct 14 2021 3299
report.mydomain.com:443 Valid Jul 7 2014 643
reportdev.mydomain.com:443 Valid Jul 7 2014 643
srvavautil.mydomain.net:443 Valid Mar 15 2019 2355
srvmail1002.mydomain.net:443 Valid Jul 10 2014 646
srvmom01.mydomain.net:443 Valid Mar 3 2028 5631
srvmoss001.mydomain.net:443 Valid Aug 1 2013 303
srvocs2001.mydomain.net:443 Valid Dec 29 2012 88
srvrecord2001.mydomain.net:443 Valid Feb 13 2013 134
srvslshd1001.mydomain.net:443 Valid Dec 14 2014 803
srvunibackup1001.mydomain.net:443 Valid Sep 6 2014 704
srvvault2001.mydomain.net:443 Valid Sep 6 2014 704
srvwas2001.mydomain.net:443 Valid Jan 5 2020 2651
srvwcs2001.mydomain.net:443 Expired Dec 16 2011 -291
app.mydomain.com:443 Valid Jul 9 2014 645
sftp.mydomain.com:443 Valid Feb 10 2015 861
solarwinds.mydomain.com:443 Valid Feb 13 2013 134
support.mydomain.com:443 Valid Jul 9 2014 645
vcenter01.mydomain.com:443 Valid Sep 27 2021 3282