This site is now 100% read-only, and retired.

XML logo

Expiring SSL certificates
Posted by simonw on Sun 12 Apr 2009 at 02:14
Tags: none.
That the MI5 website has an expired certificate makes me feel much better than I'm still fighting the process to get a Java applet signing certificate renewed.

https://www.mi5.gov.uk/

Fortunately I wasn't after the form for submitting information about terrorists.

 

Comments on this Entry

Re: Expiring SSL certificates
Posted by endecotp (86.6.xx.xx) on Tue 14 Apr 2009 at 20:13
[ View Weblogs ]
Thank you for reminding me to check my own certs....
Can anyone recommend a "once per year" cron thing to remind us of stuff like this?

[ Parent ]

Re: Expiring SSL certificates
Posted by simonw (84.45.xx.xx) on Wed 15 Apr 2009 at 00:03
[ View Weblogs ]
Our certificate provider emails us 60 days before they expire. Unfortunately they don't do the Java code signing ones. The folks who do emailed us in plenty of time, but it is the second time we've requested one, and the first time I have, and it all seems very arcane.

There are plugins for nessus and nagios already that alert of certificates about to expire....

[ Parent ]

Re: Expiring SSL certificates
Posted by endecotp (86.6.xx.xx) on Wed 15 Apr 2009 at 00:13
[ View Weblogs ]
I moved all of my domain registrations because the previous registrar didn't have a proper automatic warning system. On the first day of my holiday I'd be half way up a mountain and suddenly worry if something was going to expire. Now I get nice reminder emails at just the right time.

But in the case of SSL certs, I'm thinking about my self-signed ones. I have no-one but myself to blame if they expire. I'm sure there must be some dead-simple program that will run from cron each day and warn me as they near expiry. Anyone?

[ Parent ]

Re: Expiring SSL certificates
Posted by simonw (84.45.xx.xx) on Wed 15 Apr 2009 at 00:31
[ View Weblogs ]
You can use openssl to extract the date.

openssl x509 -in filename.crt -noout -text | grep "Not After"

How you parse it then is up to you. Maybe.....

at $(openssl x509 -in 350.com.crt -noout -text | less | grep "Not After" | cut -f2- -d":" | cut -b1-8,17-21) " - 2 days"

[ Parent ]