Skip to main content

You are here

certwatch

Automated SSL certificate expiration check

It is quite simple to automate checking for near expiring SSL certificates in CentOS. This is accomplished using the certwatch tool. This tool is part of the crypto-utils package.

yum install crypto-utils

Installing crypto-utils, will create the following cron job, /etc/cron.daily/certwatch. By default the /etc/cron.daily/certwatch script only checks for SSL certificates loaded by Apache (httpd -t -DDUMP_CERTS). So Apache users don't have to do any additional config changes to in order to automate the check of near expiring SSL certificates.

Since in https://www.rubysecurity.org I use Nginx as a SSL termination proxy for an Apache backend webapp on a different machine. I had to manually update the /etc/cron.daily/certwatch script to point to my SSL certificates directly.

    #certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
    INCLUDE_CERTS='/etc/nginx/certs/*.crt'
    certs=`ls $INCLUDE_CERTS 2>/dev/null`

Here is an example of an expired SSL certificate alert

[[email protected] certs]# certwatch /etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt
To: root
Subject: The certificate for www.rubysecurity.org has expired

################# SSL Certificate Warning ################

Certificate for hostname 'www.rubysecurity.org', in file (or by nickname):
/etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt

The certificate needs to be renewed; this can be done
using the 'genkey' program.

Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.

##########################################################
Generated by certwatch(1)

certwatch is far from perfect. It doesn't have any verbose output when doing a check, it solely relies on its exit status to verify if the check was successful. Excerpt from the man page is somewthat appalling.

DIAGNOSTICS
The exit code indicates the state of the certificate:

0
The certificate is outside its validity period, or approaching expiry

1
The certificate is inside its validity period, or could not be parsed

Linux: 

Awesome Applications: 

Premium Drupal Themes by Adaptivethemes