Weblog entry #319 for simonw
See all weblog entries made by simonw.
#319
Expiring SSL certificates
Posted by simonw on Sun 12 Apr 2009 at 02:14
That the MI5 website has an expired certificate makes me feel much better than I'm still fighting the process to get a Java applet signing certificate renewed.
https://www.mi5.gov.uk/
Fortunately I wasn't after the form for submitting information about terrorists.
https://www.mi5.gov.uk/
Fortunately I wasn't after the form for submitting information about terrorists.
Comments on this Entry
Thank you for reminding me to check my own certs....
Can anyone recommend a "once per year" cron thing to remind us of stuff like this?
Can anyone recommend a "once per year" cron thing to remind us of stuff like this?
[ Parent | Reply to this comment ]
Our certificate provider emails us 60 days before they expire. Unfortunately they don't do the Java code signing ones. The folks who do emailed us in plenty of time, but it is the second time we've requested one, and the first time I have, and it all seems very arcane.
There are plugins for nessus and nagios already that alert of certificates about to expire....
There are plugins for nessus and nagios already that alert of certificates about to expire....
[ Parent | Reply to this comment ]
I moved all of my domain registrations because the previous registrar didn't have a proper automatic warning system. On the first day of my holiday I'd be half way up a mountain and suddenly worry if something was going to expire. Now I get nice reminder emails at just the right time.
But in the case of SSL certs, I'm thinking about my self-signed ones. I have no-one but myself to blame if they expire. I'm sure there must be some dead-simple program that will run from cron each day and warn me as they near expiry. Anyone?
But in the case of SSL certs, I'm thinking about my self-signed ones. I have no-one but myself to blame if they expire. I'm sure there must be some dead-simple program that will run from cron each day and warn me as they near expiry. Anyone?
[ Parent | Reply to this comment ]
You can use openssl to extract the date.
openssl x509 -in filename.crt -noout -text | grep "Not After"
How you parse it then is up to you. Maybe.....
at $(openssl x509 -in 350.com.crt -noout -text | less | grep "Not After" | cut -f2- -d":" | cut -b1-8,17-21) " - 2 days"
openssl x509 -in filename.crt -noout -text | grep "Not After"
How you parse it then is up to you. Maybe.....
at $(openssl x509 -in 350.com.crt -noout -text | less | grep "Not After" | cut -f2- -d":" | cut -b1-8,17-21) " - 2 days"
[ Parent | Reply to this comment ]