Check SSL certificate expiration

Q: is it possible to check when SSL certificate expires?

A: yes, you can use “Script or program” or “Script over SSH” monitor types to do that.

Several approaches are listed below. Note that they expect you can connect to the site in question via HTTPS.

1. Checking with openssl

A simple shell script can be used in Unix-like environment providing OpenSSL, including

  • Cygwin
  • external Linux environment (accessible via SSH)
  • Windows Subsystem for Linux

The below sample Bash script can be used to verify SSL certificate expiration time

#!/bin/bash

if [[ "q$1" == "q" ]]; then
    echo $0 domain
    exit 0
fi

DOMAINNAME="$1"
NOTAFTER=`echo | openssl s_client -connect ${DOMAINNAME}:443 2>/dev/null | openssl x509 -noout -dates | tail -1 | cut -b 10-`
EPOCHEXP=`date -d "${NOTAFTER}" "+%s"`
EPOCHNOW=`date "+%s"`
echo `expr $EPOCHEXP - $EPOCHNOW`

Alternately, download the archive containing script: get-site-certificate-expiration.zip (443 bytes).

1.1. Using Cygwin

The below instructions assume you have placed the script file into
C:\scripts\get-site-certificate-expiration.sh

In this article, we do not explain how to install Cygwin environment. It is assumed you are using 64-bit Cygwin and default installation path (change the below paths accordingly if using a different version and/or installation path).

In the below example we check SSL certificate expiration date for domain ‘google.com’. Create “Script or program” monitor (for local host, for any other host), give it a name “google.com” (without quotes) and use the below definition:

  • Mode: Run program
  • Path: C:\cygwin64\bin\bash.exe
  • Arguments: -c "PATH=/usr/bin; SCRIPTS=`cygpath 'C:\Scripts'`; \"${SCRIPTS}/get-site-certificate-expiration.sh\" $MonitorName"

Get site certificate expiration via Cygwin

Please pay attention we use monitor name as script parameter (by inserting $MonitorName). If you only need to check certificate expiration time for a number of sites, you can avoid creating a separate host for every monitor this way.

Monitor returns seconds remaining to the SSL certificate expiration; thus you can check whether the performance value is below 604800 seconds (7 times 86400) to get alerted, if the certificate expires in less than a week.

1.2. Run checks via SSH

If you have a Unix-like system providing reasonably up-to-date OpenSSL version, you can similarly set up the “Script or Program over SSH” monitor. Give the monitor name equal to the domain to check (in this example, ‘google.com’) and use settings like below:

  • Mode: Run Script
  • How to run a script: Take a script from file
  • File name: C:\scripts\get-site-certificate-expiration.sh
  • Arguments: $MonitorName

Get site certificate expiration by running a script via SSH

Note: the script assumes that OpenSSL emits the expiration date line in certain position; if it doesn’t work, check the results of command like
echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -dates | tail -1
It should return line like
notAfter=Jul 9 09:52:00 2019 GMT

If it displays something different, please consult openssl manual for possible changes in output data.

2. Check with .NET using PowerShell

The PS script can be downloaded from get-site-certificate-expiration-ps1.zip (759 bytes).

If you place it into a folder different from C:\Scripts, change the below settings accordingly.

Similarly, the below example checks certificate age for domain ‘google.com’. Create “Script or program” monitor (for local host, for any other host), give it a name “google.com” (without quotes) and use the below definition:

  • Mode: Run program
  • Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • Arguments: -ExecutionPolicy Bypass -NoProfile -NonInteractive "& "C:\Scripts\get-site-certificate-expiration.ps1" -domain $MonitorName"

Get site certificate expiration via PowerShell script

Note: if in doubt, get the full path to PowerShell executable by running
where powershell.exe
command.

Use the proposed PS1 script as template when necessary; you can obtain other various certificate properties this way.

Related links