$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates
了解openssl命令选项
openssl是一个非常有用的TLS和SSL服务器的诊断工具。openssl命令行选项如下。
s_client : s_client命令实现了一个通用的SSL/TLS客户端,它使用SSL/TLS连接到远程主机。
-servername $DOM : 将 ClientHello 消息中的 TLS SNI (Server Name Indication) 扩展名设置为给定值。
-connect $DOM:$PORT : 指定要连接的主机 ($DOM) 和可选的端口 ($PORT) 。
x509 : 运行证书显示和签名工具。
-noout : 防止输出证书的编码版本。
-dates : 打印证书的开始和到期时间。打印 TLS 或 SSL 证书的开始和到期日期。
openssl s_client -servername www.baidu.com -connect www.baidu.com:443 |openssl x509 -noout -datesdepth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CAverify return:1depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2verify return:1depth=0 C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.comverify return:1notBefore=Apr 2 07:04:58 2020 GMTnotAfter=Jul 26 05:31:02 2021 GMT
结果对比截图
多说一句有的配置文件中你看到的可能是PEM文件,其实PEM就是这样来的
cat 1_www.abc.com_bundle.crt 2_www.abc.com.key > www.abc.com.pem
下面罗列我申请的一个ssl证书的大概文件,我将我的域名替换了。
.
├── Apache
│ ├── 1_root_bundle.crt
│ ├── 2_www.snsyr.com.crt
│ └── 3_www.snsyr.com.key
├── IIS
│ ├── keystorePass.txt
│ └── www.snsyr.com.pfx
├── Nginx
│ ├── 1_www.snsyr.com_bundle.crt
│ ├── 2_www.snsyr.com.key
├── Tomcat
│ ├── keystorePass.txt
│ └── www.snsyr.com.jks
└── www.snsyr.com.csr
从PEM编码的证书文件中查找SSL证书的到期日
语法如下 查询证书文件中TLS/SSL证书的过期时间。
$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.abci.biz.fullchain.cer.ecc$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.nixcraft.com.fullchain.cer
➜ Nginx openssl x509 -enddate -noout -in 1_www.abc.com_bundle.crt
notAfter=Oct 22 23:59:59 2021 GMT
➜ Nginx openssl x509 -enddate -noout -in www.abc.com.pem
notAfter=Oct 22 23:59:59 2021 GMT
我们也可以检查证书是否在给定的时间范围内过期。例如,查找TLS/SSL证书是否在未来7天(604800秒)内过期。
$ openssl x509 -enddate -noout -in my.pem -checkend 604800# Check if the TLS/SSL cert will expire in next 4 months #openssl x509 -enddate -noout -in my.pem -checkend 10520000
如果自己要写脚本的话,自由发挥下就可以了
DOM="www.baidu.com"PORT="443"## note echo added ##echo | openssl s_client -servername $DOM -connect $DOM:$PORT | openssl x509 -noout -dates
可以参考
https://testssl.sh
另一个比较好的就是ngios的check_http
http://nagios-plugins.org/doc/man/check_http.html
# /usr/lib64/nagios/plugins/check_http -H www.abc.cn -C 30,14
SSL OK - Certificate 'www.abc.cn' will expire on 2019-07-10 20:00 +0800/CST. HTTP OK: HTTP/1.1 200 OK - 4756 bytes in 3.038 second response time |time=3.037933s;;;0.000000 size=4756B;;;0
-C, --certificate=INTEGER[,INTEGER] Minimum number of days a certificate has to be valid. Port defaults to 443 (when this option is used the URL is not checked.)Examples: CHECK CONTENT: check_http -w 5 -c 10 --ssl -H www.verisign.com When the 'www.verisign.com' server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned. CHECK CERTIFICATE: check_http -H www.verisign.com -C 14 When the certificate of 'www.verisign.com' is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired. CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14 When the certificate of 'www.verisign.com' is valid for more than 30 days, a STATE_OK is returned. When the certificate is still valid, but for less than 30 days, but more than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when certificate expires in less than 14 days CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com all these options are needed: -I -p -u -S(sl) -j CONNECT -H a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.