Periodic script to notify upcoming x509 certificate expiry

O

ovirt

I want to install a periodic script to send out a reminder for certificates whose expiry is, say, imminent or recent, or a full list of certs with their expiry dates. A web search has only found (generic) solutions for checking active SSL certs (Let's Encrypt etc), but I also want to cover locally generated CA certs, client certs etc.

So just wondering whether anyone knows of any existing solution? Something that can be configured with a list of directories to scan, say, e.g. various easyrsa/pki/issued, /etc/mail/certs, etc.

Easy enough to create one, but re-inventing wheels, etc.
 
Yes, and yes. But py-certbot only knows about Let's Encrypt certs, unless I'm missing something?

openssl-x509(1) also has:

-enddate
Prints out the expiry date of the certificate, that is the notAfter date.

and:

-checkend arg
Checks if the certificate expires within the next arg seconds and exits nonzero if yes it will expire or zero if not.


Just checking whether there is something already floating about before I invent a single-spoke, ovoid wheel.
 
ovirt said:
But py-certbot only knows about Let's Encrypt certs, unless I'm missing something?
Click to expand...
Yes, but you could look at their scripts and get some inspiration on how to implement something suitable for your situation.
 
The certbot periodic scripts (the ones that I looked at) are very specific to certbot/Let's Encrypt and not really adaptable.

One I found that seemed useful comes from the port filesystems/zrepl

The (pre-installation source) script can be found in: /usr/ports/filesystems/zrepl/files/500.zrepl.in
or alternatively the installable script can be extracted from the port's pkg(8) file.
 
You must log in or register to reply here.
Back
Top