Skip to content

Instantly share code, notes, and snippets.

@carlchan
Last active May 19, 2021 13:54
Show Gist options
  • Save carlchan/90f77edf8ff0e368d2001228992753e9 to your computer and use it in GitHub Desktop.
Save carlchan/90f77edf8ff0e368d2001228992753e9 to your computer and use it in GitHub Desktop.
Check SSL chains. checkchain will connect to a remote host and verify no certs in the chain are about to expire. checklocalchainfile functions will check combined chain files and print each cert subject/issuer so you can verify it's in the right order.
checkchain() {
host="$1"
hostname=${host%%:*}
port=${host##*:}
[ "${port}" '==' "${hostname}" ] && port=443
echo $hostname:$port
cert=""
echo | timeout 5 openssl s_client -showcerts -servername ${hostname} -connect ${hostname}:${port} 2>&1 | sed -n '/BEGIN CERT/,/END CERT/p'| while read line; do
cert+="${line}\n"
if [ "$line" '==' '-----END CERTIFICATE-----' ]; then
echo -e "${cert}" | openssl x509 -noout -subject -issuer -enddate -checkend 604800 && echo ----- || echo \!\!\! EXPIRING WITHIN 7 DAYS \!\!\!
echo
cert=""
fi
done && echo || echo Error checking $host
echo
}
checklocalchainfile() {
file="$1"
shift
openssl crl2pkcs7 -nocrl -certfile "${file}" | openssl pkcs7 -print_certs -noout $*
}
checklocalchainfile2() {
certfile="$1"
shift
cert=""
while read -r line; do
cert+="${line}\n"
if [ "$line" '==' '-----END CERTIFICATE-----' ]; then
echo -e "${cert}" | openssl x509 -noout -subject -issuer $*
echo
cert=""
fi
done < "$certfile"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment