Last active
June 10, 2020 20:45
-
-
Save julcap/88b1d1551a4fc54a491c to your computer and use it in GitHub Desktop.
Check expiration date for certificates in JVM cacerts file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
###################################################### | |
# List certificates, find if a cert is expired. | |
# Requirements for sending emails: postfix, mailutils | |
# | |
# 15-12-2015 | |
# Julian Capilla | |
# lyhan_jr@hotmail.com | |
###################################################### | |
#!/bin/bash | |
pass="changeit" | |
cacerts="$1" | |
alias="$2" | |
to="$3" | |
if [ ! "$cacerts" ];then echo "Please enter cacerts file path" && exit;fi | |
if [ "$alias" = "--help" ] || [ "$cacerts" = "--help" ];then | |
echo "Read cacert file and print expiration time of certificates" | |
echo "" | |
echo "$(basename $0) {cacerts file} {alias | option} {optional email}" | |
echo "Example: $(basename $0) cacerts alias test@email.com,test2@email.com" | |
echo "Options:" | |
echo -e "\t-P\t\tPrints all aliases in cacerts file." | |
echo -e "\t--all\t\tCheck all the certificates." | |
echo -e "\t--help\t\tPrint this help." | |
echo "" | |
exit 0 | |
fi | |
if [ ! "$alias" ];then echo "Please enter alias or valid option" && exit;fi | |
if [ ! -f $cacerts ];then echo "$cacerts is not a valid file." && exit 1;fi | |
if [ "$2" = "-P" ] | |
then | |
# List aliases | |
keytool -list -keystore $cacerts -storepass $pass | grep -v Certificate | cut -d, -f 1 - | |
elif [ "$2" = "--all" ];then | |
for a in $(./"$0" $cacerts -P);do | |
out="$(./"$0" $cacerts "$a" $to | egrep 'Valid|Expired')" | |
if [ "$out" ];then echo -e $out"\t[$a]";fi | |
done | |
else | |
# Check dates | |
output="$(keytool -list -v -alias $2 -keystore $cacerts -storepass $pass | grep Valid)" | |
if [ ! "$output" ];then echo "Certificate alias not found." && exit 0;fi | |
from="$(echo $output | awk -F'from:' '{print $2$3}'| cut -c -30)" | |
until="$(echo $output | awk -F'until:' '{print $2$3}'| cut -c -30)" | |
# Check if email and send email if cert is about to expire in less than 30 days | |
if [ $to ];then | |
edate="$(date --date="$until" "+%Y%m%d")" | |
ndate="$(date "+%Y%m%d")" | |
time="$(echo $edate - $ndate | bc)" | |
if [ $time -lt 30 ];then echo "Please renew certificate in '$cacerts'. Certificate '$alias' expires $until" | mail -s "Certificate about to expire in $(hostname)" $to ;fi | |
fi | |
if [ $(date +%Y%m%d) -lt $(date --date="$until" "+%Y%m%d") ];then echo "Valid until: $until";else echo Expired: $until;fi | |
fi |
Thanks for providing the script. Can you help me to first redirect the expired certificates to a file?
Thanks for providing the script. Can you help me to first redirect the expired certificates to a file?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Now it can be added as a cronjob to check all the certificates in a cacert file with the option "--all" as the second argument.