Skip to content

Instantly share code, notes, and snippets.

@red-avtovo

red-avtovo/vault_certs.sh

Created November 22, 2020 21:21
Show Gist options
  • Save red-avtovo/66bcd7bfc6e4588d0df0839cfdd45185 to your computer and use it in GitHub Desktop.
Save red-avtovo/66bcd7bfc6e4588d0df0839cfdd45185 to your computer and use it in GitHub Desktop.
Download ZIP
Get main info about Vault certs
Raw
vault_certs.sh
#!/bin/bash
VAULT_URL="http://localhost:8200/v1"
TOKEN="s.BfRUIKOyrWtVIJX0rBN1AiSW"
res=$(curl -s \
--header "X-Vault-Token: $TOKEN" \
--request LIST \
$VAULT_URL/pki/certs)
keys=$(echo $res | jq -r '.data.keys[]')
format="%60s | %-9s | %-3s | %-4s | %24s | %5s | %5s | %40s |\n"
printf "$format" "SERIAL" "Renewable" "CA" "Rvkd" "EXPIRE" "in30d" "in60d" "SUBJECT"
echo "-------------------------------------------------------------+-----------+-----+------+--------------------------+-------+-------+------------------------------------------+"
for key in $keys; do
# echo "Fetching $key"
res=$(curl -s \
--header "X-Vault-Token: $TOKEN" \
$VAULT_URL/pki/cert/$key)
# echo $res | jq
renewable=$(echo $res | jq -r '.renewable')
cert=$(echo $res | jq -r '.data.certificate')
# echo $cert
revoked=$(echo $res | jq -r '.data.revocation_time')
revoked=$(if [ "$revoked" != "0" ]; then echo "*"; else echo ""; fi)
cert_file="/tmp/$key.crt"
echo $cert | sed -e "s/-----BEGIN CERTIFICATE-----/&\n/" -e "s/-----END CERTIFICATE-----/\n&/" -e "s/\S\{64\}/&\n/g" | sed "s/^\s//g" > $cert_file
subject=$(openssl x509 -noout -in $cert_file -subject | cut -d "=" -f3)
expire=$(openssl x509 -noout -in $cert_file -enddate | cut -d "=" -f2)
ca_string=$(openssl x509 -noout -in $cert_file -purpose | grep -e "^SSL server CA" | cut -d ":" -f2 | xargs)
is_ca=$(if [ "$ca_string" == "Yes" ]; then echo "*"; else echo ""; fi)
subjects=$(openssl x509 -in $cert_file -noout -text | grep -A1 'Subject Alternative Name' | tail -n1 | tr -d ',' | sed -e "s/DNS://g" | xargs)
in30=$(openssl x509 -noout -in $cert_file -checkend 2592000)
in30=$(if [ "$in30" == "Certificate will expire" ]; then echo "*"; else echo ""; fi)
in60=$(openssl x509 -noout -in $cert_file -checkend 5184000)
in60=$(if [ "$in60" == "Certificate will expire" ]; then echo "*"; else echo ""; fi)
printf "$format" "$key" "$renewable" "$is_ca" "$revoked" "$expire" "$in30" "$in60" "$subjects"
done
@red-avtovo
Copy link
Author

Output example

                                                      SERIAL | Renewable | CA  | Rvkd |                   EXPIRE | in30d | in60d |                                  SUBJECT |
-------------------------------------------------------------+-----------+-----+------+--------------------------+-------+-------+------------------------------------------+
 1b-51-79-8a-13-5d-f1-85-2a-d2-b0-d1-3a-a1-3b-40-16-23-23-c0 | false     | *   |      | Dec 24 16:06:51 2020 GMT |       |     * |                              example.com |
 31-d4-11-8e-2c-99-3a-4c-0c-55-33-49-a8-e1-9d-a0-e9-94-0c-f8 | false     |     |      | Nov 24 16:41:38 2020 GMT |     * |     * |                         test.example.com |
 3b-ac-b5-e7-d2-25-7d-07-e1-56-90-47-88-fa-55-1a-62-c0-db-0b | false     |     |      | Nov 23 20:01:24 2020 GMT |     * |     * |      *.test.example.com test.example.com |
 78-f2-a1-06-cb-4a-5a-03-41-78-91-8a-3c-29-5a-25-6c-ae-59-3e | false     |     | *    | Nov 23 16:10:54 2020 GMT |     * |     * |                         test.example.com |

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment