source: TI12-security/trunk/ssl_cert_verification_utils/sslcertcheck.sh @ 7821

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/ssl_cert_verification_utils/sslcertcheck.sh@7877
Revision 7821, 3.1 KB checked in by pjkersha, 9 years ago (diff)

Bash script to check the validity of a certificate from a given server running over SSL.

  • added the ability to check certificates returned for expiry in X days from now - useful for checking for cert renewal.
  • Property svn:executable set to *
  • Property svn:keywords set to Id
Line 
1#!/bin/bash
2#
3# Get an SSL certificate from a server and verify it against a set of trusted CA
4# certificates and check it for time validity. e.g. check mulitiple services:
5#
6# $ sslcertcheck.sh -c "somewhere.ac.uk:443 somewhereelse.ac.uk:6000" -p ./ca-dir
7#
8# It outputs the status for each connection made and exits with 1 if any of them
9# fails; exits with 0 if all succeed.  To check a single connection e.g.
10#
11# $ sslcertcheck.sh --connect someservice.ac.uk:8443 --CApath ./ca-dir
12#
13# - this example uses alternative long form for command line options.
14#
15# Author: P J Kershaw
16#
17# Date: 14/01/2011
18#
19# Copyright: (C) 2011 STFC
20#
21# License: BSD
22#
23# $Id$
24cmdline_opt=`getopt -o hc:p:d: --long help,connect:,CApath:days-expiry-from-now:: -n "$0" -- "$@"`
25
26usage="Usage: $(basename $0) [-h|--help] [-c|--connect \"host1:port1 host2:port2 ... hostN:portN\"] [-p|--CApath dir]"
27if [ $? != 0 ] ; then
28    echo $usage >&2 ;
29    exit 1 ;
30fi
31
32# Note the quotes around `$cmdline_opt': they are essential!
33eval set -- "$cmdline_opt"
34
35while true ; do
36    case "$1" in
37        -h|--help) echo $usage ; exit 0 ;;
38        -c|--connect) connect_strings=$2 ; shift 2 ;;
39        -p|--CApath) ca_dir=$2 ; shift 2 ;;
40        -d|--days-expiry-from-now) days_expiry_from_now=$2 ; shift 2 ;;
41        --) shift ; break ;;
42        *) echo "Internal error!" ; exit 1 ;;
43    esac
44done
45
46if [ -z "$connect_strings" ]; then
47    echo No connection string set >&2 ;
48    echo $usage >&2 ;
49    exit 1 ;
50fi
51
52if [ "$ca_dir" ]; then
53    verify_arg="-CApath $ca_dir"
54fi
55
56if [ "$days_expiry_from_now" ]; then
57    # Use bc to allow for decimal days
58    secs_expiry_from_now=$(echo "$days_expiry_from_now * 86400"|bc -l) ;
59else
60    secs_expiry_from_now=0 ;
61fi
62
63# Check each connection in turn ...
64exit_code=0;
65for connect_string in $connect_strings; do
66    echo -n "Checking \"$connect_string\"" ;
67    output=$(echo | openssl s_client -connect $connect_string $verify_arg 2>&1)
68    openssl_exit_code=$?
69    if [ "$openssl_exit_code" -ne "0" ]; then
70        echo ": $output" >&2 ;
71        exit_code=1 ;
72        continue ;
73    fi
74
75    verify_return_msg=$(echo "$output" | grep "Verify return code:"|awk -F': ' '{print $2}')
76    verify_return_code=$(echo $verify_return_msg | awk '{print $1}')
77    cert_output=$(echo "$output" | sed -n '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -subject -enddate)
78
79    subject=$(echo "$cert_output" | grep subject | awk -F'subject= ' '{print $2}')
80    expiry_date=$(echo "$cert_output" | grep notAfter | awk -F'notAfter=' '{print $2}')
81
82    expiry_date_secs=$(date --date="$expiry_date" +%s)
83    current_date_secs=$(date +%s)
84    test_date_secs=$(echo $current_date_secs + $secs_expiry_from_now | bc -l)
85
86    echo -n ", certificate \"$subject\": " ;
87    if [ "$verify_return_code" -ne 0 ]; then
88        echo $verify_return_msg ;
89        exit_code=1 ;
90    fi
91 
92    if [ "$expiry_date_secs" -lt "$test_date_secs" ]; then
93        test_date=$(date -d "1970-01-01 $test_date_secs sec GMT")
94        echo certificate expires before $test_date ;
95        exit_code=1 ;
96    fi
97
98    if [ "$exit_code" -eq "0" ]; then
99        echo "OK" ;
100    fi
101done ;
102
103exit $exit_code ;
Note: See TracBrowser for help on using the repository browser.