Leaderboard

Eu te cred daca imi dai un link pe web archive dintr-o data de dinainte de 2020. Nu ma intereseaza ce zice OMS sau oricine altcineva. Un document DIN DATA de 2017-2018-2019 ma poate convinge. Haideti sa va spun un secret, eu va zisesem din 2010 de Covid dar nimeni nu m-a crezut

How do I check the TLS/SSL certificate expiration date from my Linux or Unix shell prompt? How can I find the TLS certificate expiry date from Linux or Unix shell scripts? We can quickly solve TLS or SSL certificate issues by checking the certificate’s expiration from the command line. Let us see how to determine TLS or SSL certificate expiration date from a PEM encoded certificate file and live production website/domain name too when using Linux, *BSD, macOS or Unix-like system. How to check TLS/SSL certificate expiration date from command-line To check the SSL certificate expiration date, we are going to use the OpenSSL command-line client. OpenSSL client provides tons of data, including validity dates, expiry dates, who issued the TLS/SSL certificate, and much more. Check the expiration date of an SSL or TLS certificate Open the Terminal application and then run the following command: $ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates $ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates Let us find out expiration date for www.nixcraft.com, enter: DOM="www.nixcraft.com" PORT="443" openssl s_client -servername $DOM -connect $DOM:$PORT \ | openssl x509 -noout -dates Sample outputs indicating dates and other information: depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.nixcraft.com verify return:1 notBefore=Sep 29 23:10:07 2020 GMT notAfter=Dec 28 23:10:07 2020 GMT Add the echo command to avoid pressing the CTRL+C. For instance: DOM="www.cyberciti.biz" PORT="443" ## note echo added ## echo | openssl s_client -servername $DOM -connect $DOM:$PORT \ | openssl x509 -noout -dates OpenSSL in action: Check the TLS/SSL certificate expiration date and time Understanding openssl command options The openssl is a very useful diagnostic tool for TLS and SSL servers. The openssl command-line options are as follows: s_client : The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. -servername $DOM : Set the TLS SNI (Server Name Indication) extension in the ClientHello message to the given value. -connect $DOM:$PORT : This specifies the host ($DOM) and optional port ($PORT) to connect to. x509 : Run certificate display and signing utility. -noout : Prevents output of the encoded version of the certificate. -dates : Prints out the start and expiry dates of a TLS or SSL certificate. Finding SSL certificate expiration date from a PEM encoded certificate file The syntax is as follows query the certificate file for when the TLS/SSL certifation will expire $ openssl x509 -enddate -noout -in {/path/to/my/my.pem} $ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.cyberciti.biz.fullchain.cer.ecc $ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.nixcraft.com.fullchain.cer notAfter=Dec 29 23:48:42 2020 GMT We can also check if the certificate expires within the given timeframe. For example, find out if the TLS/SSL certificate expires within next 7 days (604800 seconds): $ openssl x509 -enddate -noout -in my.pem -checkend 604800 # Check if the TLS/SSL cert will expire in next 4 months # openssl x509 -enddate -noout -in my.pem -checkend 10520000 Finding out whether the TLS/SSL certificate has expired or will expiery so within the next N days in seconds. Shell script to determine SSL certificate expiration date from the crt file itself and alert sysadmin Here is a sample shell script: #!/bin/bash # Purpose: Alert sysadmin/developer about the TLS/SSL cert expiry date in advance # Author: Vivek Gite {https://www.cyberciti.biz/} under GPL v2.x+ # ------------------------------------------------------------------------------- PEM="/etc/nginx/ssl/letsencrypt/cyberciti.biz/cyberciti.biz.fullchain.cer" # 7 days in seconds DAYS="604800" # Email settings _sub="$PEM will expire within $DAYS (7 days)." _from="system-account@your-dommain" _to="sysadmin@your-domain" _openssl="/usr/bin/openssl" $_openssl x509 -enddate -noout -in "$PEM" -checkend "$DAYS" | grep -q 'Certificate will expire' # Send email and push message to my mobile if [ $? -eq 0 ] then echo "${_sub}" mail -s "$_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($PEM) will expire soon on $HOSTNAME [$(date)]" # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ # source ~/bin/cli_app.sh push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null fi See how to send push notifications to your phone from script. Of course, you need a working SMTP server to route email. At work we configured AWS SES with Postfix MTA to route all alert emails. See the following tutorials for more information about sending emails from the CLI: UNIX / Linux: Shell Scripting With mail Command Sending Email With Attachments From Unix / Linux Command [ Shell Prompt ] Howto: Send The Content Of a Text File Using mail Command In Unix / Linux Say hello to testssl and ssl-cert-check script We can use testssl shell script, which is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. Download and run it as follows: $ wget https://testssl.sh/testssl.sh $ chmod +x testssl.sh $ testssl.sh --fast --parallel https://www.cyberciti.biz/ Another option is to run ssl-cert-check script, which is a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios. Conclusion In this quick tutorial, you learned how to find the TLS/SSL certification expiration date from a PEM encoded certificate file, including live DNS name. Expired TLS/SSL certificates can cause downtime and confusion for end-users. Hence, it is crucial to monitor the expiry date for our TLS/SSL certificates. See the following man pages: $ man x509 $ man s_client Source