x509证书_从Linux shell提示符中查看TLS/SSL证书有效期

$ openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates

了解openssl命令选项

openssl是一个非常有用的TLS和SSL服务器的诊断工具。openssl命令行选项如下。

s_client : s_client命令实现了一个通用的SSL/TLS客户端，它使用SSL/TLS连接到远程主机。

-servername $DOM : 将 ClientHello 消息中的 TLS SNI (Server Name Indication) 扩展名设置为给定值。

-connect $DOM:$PORT : 指定要连接的主机 ($DOM) 和可选的端口 ($PORT) 。

x509 : 运行证书显示和签名工具。

-noout : 防止输出证书的编码版本。

-dates : 打印证书的开始和到期时间。打印 TLS 或 SSL 证书的开始和到期日期。

openssl s_client -servername www.baidu.com -connect www.baidu.com:443 |openssl x509 -noout -datesdepth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CAverify return:1depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2verify return:1depth=0 C = CN, ST = beijing, L = beijing, OU = service operation department, O = "Beijing Baidu Netcom Science Technology Co., Ltd", CN = baidu.comverify return:1notBefore=Apr  2 07:04:58 2020 GMTnotAfter=Jul 26 05:31:02 2021 GMT

结果对比截图

多说一句有的配置文件中你看到的可能是PEM文件，其实PEM就是这样来的

cat 1_www.abc.com_bundle.crt 2_www.abc.com.key > www.abc.com.pem

下面罗列我申请的一个ssl证书的大概文件，我将我的域名替换了。

.

├── Apache

│ ├── 1_root_bundle.crt

│ ├── 2_www.snsyr.com.crt

│ └── 3_www.snsyr.com.key

├── IIS

│ ├── keystorePass.txt

│ └── www.snsyr.com.pfx

├── Nginx

│ ├── 1_www.snsyr.com_bundle.crt

│ ├── 2_www.snsyr.com.key

├── Tomcat

│ ├── keystorePass.txt

│ └── www.snsyr.com.jks

└── www.snsyr.com.csr

从PEM编码的证书文件中查找SSL证书的到期日

语法如下 查询证书文件中TLS/SSL证书的过期时间。

$ openssl x509 -enddate -noout -in {/path/to/my/my.pem}$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.abci.biz.fullchain.cer.ecc$ openssl x509 -enddate -noout -in /etc/nginx/ssl/www.nixcraft.com.fullchain.cer

➜ Nginx openssl x509 -enddate -noout -in 1_www.abc.com_bundle.crt

notAfter=Oct 22 23:59:59 2021 GMT

➜ Nginx openssl x509 -enddate -noout -in www.abc.com.pem

notAfter=Oct 22 23:59:59 2021 GMT

我们也可以检查证书是否在给定的时间范围内过期。例如，查找TLS/SSL证书是否在未来7天(604800秒)内过期。

$ openssl x509 -enddate -noout -in my.pem -checkend 604800# Check if the TLS/SSL cert will expire in next 4 months #openssl x509 -enddate -noout -in my.pem -checkend 10520000

如果自己要写脚本的话，自由发挥下就可以了

DOM="www.baidu.com"PORT="443"## note echo added ##echo | openssl s_client -servername $DOM -connect $DOM:$PORT | openssl x509 -noout -dates

可以参考

https://testssl.sh

另一个比较好的就是ngios的check_http

http://nagios-plugins.org/doc/man/check_http.html

# /usr/lib64/nagios/plugins/check_http -H www.abc.cn -C 30,14

SSL OK - Certificate 'www.abc.cn' will expire on 2019-07-10 20:00 +0800/CST. HTTP OK: HTTP/1.1 200 OK - 4756 bytes in 3.038 second response time |time=3.037933s;;;0.000000 size=4756B;;;0

-C, --certificate=INTEGER[,INTEGER]    Minimum number of days a certificate has to be valid. Port defaults to 443    (when this option is used the URL is not checked.)Examples: CHECK CONTENT: check_http -w 5 -c 10 --ssl -H www.verisign.com When the 'www.verisign.com' server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned. CHECK CERTIFICATE: check_http -H www.verisign.com -C 14 When the certificate of 'www.verisign.com' is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired. CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14 When the certificate of 'www.verisign.com' is valid for more than 30 days, a STATE_OK is returned. When the certificate is still valid, but for less than 30 days, but more than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when certificate expires in less than 14 days CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com all these options are needed: -I  -p  -u  -S(sl) -j CONNECT -H  a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.