Last active
May 19, 2021 13:54
-
-
Save carlchan/90f77edf8ff0e368d2001228992753e9 to your computer and use it in GitHub Desktop.
Check SSL chains. checkchain will connect to a remote host and verify no certs in the chain are about to expire. checklocalchainfile functions will check combined chain files and print each cert subject/issuer so you can verify it's in the right order.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| checkchain() { | |
| host="$1" | |
| hostname=${host%%:*} | |
| port=${host##*:} | |
| [ "${port}" '==' "${hostname}" ] && port=443 | |
| echo $hostname:$port | |
| cert="" | |
| echo | timeout 5 openssl s_client -showcerts -servername ${hostname} -connect ${hostname}:${port} 2>&1 | sed -n '/BEGIN CERT/,/END CERT/p'| while read line; do | |
| cert+="${line}\n" | |
| if [ "$line" '==' '-----END CERTIFICATE-----' ]; then | |
| echo -e "${cert}" | openssl x509 -noout -subject -issuer -enddate -checkend 604800 && echo ----- || echo \!\!\! EXPIRING WITHIN 7 DAYS \!\!\! | |
| echo | |
| cert="" | |
| fi | |
| done && echo || echo Error checking $host | |
| echo | |
| } | |
| checklocalchainfile() { | |
| file="$1" | |
| shift | |
| openssl crl2pkcs7 -nocrl -certfile "${file}" | openssl pkcs7 -print_certs -noout $* | |
| } | |
| checklocalchainfile2() { | |
| certfile="$1" | |
| shift | |
| cert="" | |
| while read -r line; do | |
| cert+="${line}\n" | |
| if [ "$line" '==' '-----END CERTIFICATE-----' ]; then | |
| echo -e "${cert}" | openssl x509 -noout -subject -issuer $* | |
| echo | |
| cert="" | |
| fi | |
| done < "$certfile" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment