KB1032: Monitoring Studio: Monitoring SSL Certificate Expiration Date | Knowledge Base

Downloads

ssl-cert-check.bat.zip

1.2KB

Objective

To be automatically notified when an SSL Certificate is about to reach its expiration date.

Solution

Monitor SSL Certificate Expiration dates with Monitoring Studio.

On Linux systems

A pre-existing shell script exists and can be downloaded from here:

prefetch.net/articles/checkcertificate.html

Details about how to use this script can be found at the same address.

By configuring Monitoring Studio/Monitoring Studio Express to run the following command:

$ ssl-cert-check -f ssldomains
Host Status Expires Days Left
----------------------------------------------- ------------ ------------ ----------
www.prefetch.com:443 Valid May 23 2006 218

A Numerical Value Extraction can be used to collect the "Days Left" value, upon which thresholds can be set.

On Windows systems

A simple batch file has been written by Sentry Software (below) that can perform the same task.

Download the batch file (ssl-cert-check.bat.zip)

This batch file will return the number of days until expiry.

Note: the value can include a fraction of a day, due the way the calculation is done and how leap years are taken into configuration.
The batch file might require customization based on the date format returned by the windows systems. English, French, German and Swedish formats are included by default.

Batch file installation instructions for Monitoring Studio KM for PATROL

Install openssl on the Server with the PATROL Agent and add c:\openssl\bin to the main system path.
A copy of nawk.exe will also need to be in the main system path.
Create a new Command Line Analysis
Command to execute - ssl-cert-check ‹hostname› ‹port›
i.e. - ssl-cert-check redhat.com 443
Create a numerical value extraction.
“In the following Column Number”
“1”
Format - “100000.00”
Then set the thresholds you require.

Batch file installation instructions for BMC Performance Manager Express Monitoring Studio

Install openssl on a Server. Add c:\openssl\bin to the main system path. A copy of nawk.exe will also need to be in the main system path.
Test the batch file by running: ssl-cert-check redhat.com 443
Add an element in Portal of type Windows.
Add Studio - Remote Command Execution and Analysis (Windows)
Enter credentials
Add a Remote Command Execution and Analysis (Windows) : Input properties
Command to execute - ssl-cert-check ‹hostname› ‹port›
Create a numerical value extraction.
“In the following Column Number”
“1”
Format - “100000.00”
Then set the thresholds you require.

Batch File (ssl-cert-check.bat) contents

@REM ----------START OF BATCH FILE---------------
@echo off
:: %1 = ServerAddress
:: %2 = Port

:: Get the certificate
openssl s_client -connect %1:%2 2›%TMP%\SW_%1.err 1›%TMP%\SW_%1.crt

:: Echo Today's date
echo. | date › %TMP%\SW_%1.date

:: Echo Expiry date
openssl x509 -in %TMP%\SW_%1.crt -enddate -noout ›› %TMP%\SW_%1.date

:: Process this through an awk script
:: Note: The Awk script might need to be modified if the OS language is not English
:: Execute a "date" from the command prompt to get the format
:: Enter the new date: (dd-mm-yy) = /.dd.mm.yy./

echo $NF ~ /[0-9]+[-.\/ ][0-9]+[-.\/ ][0-9]+/ {today=$NF;getline;format=$NF; › %TMP%\SW_%1.awk

:: ENGLISH (DD MM YY)
echo       if (format~/.yy.mm.dd./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];} ›› %TMP%\SW_%1.awk
echo       if (format~/.mm.dd.yy./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo       if (format~/.dd.mm.yy./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo.                                                                                           ›› %TMP%\SW_%1.awk
:: FRENCH (JJ MM AA)
echo       if (format~/.aa.mm.jj./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];} ›› %TMP%\SW_%1.awk
echo       if (format~/.mm.jj.aa./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo       if (format~/.jj.mm.aa./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo.                                                                                                ›› %TMP%\SW_%1.awk
:: GERMAN (TT MM JJ)
echo       if (format~/.jj.mm.tt./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];} ›› %TMP%\SW_%1.awk
echo       if (format~/.mm.tt.jj./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo       if (format~/.tt.mm.jj./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo.                                                                                           ›› %TMP%\SW_%1.awk
:: SWEDISH (TT MM JJ)
echo       if (format~/.år.må.da./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];} ›› %TMP%\SW_%1.awk
echo       if (format~/.må.da.år./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo       if (format~/.da.må.år./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];} ›› %TMP%\SW_%1.awk
echo.                                                                                           ›› %TMP%\SW_%1.awk
echo if (TodayY ^‹ 100) {TodayY="20"TodayY};       ›› %TMP%\SW_%1.awk
echo TodayJDY = TodayY + 4800 - ((14-TodayM)/12)   ›› %TMP%\SW_%1.awk
echo TodayJDM = TodayM + 12 * ((14-TodayM)/12) - 3   ›› %TMP%\SW_%1.awk
echo TodayJD = TodayD + (153*TodayJDM+2)/5 + TodayJDY*365 + TodayJDY/4 - 32083                 ›› %TMP%\SW_%1.awk
echo.                                                                                                ›› %TMP%\SW_%1.awk
echo getline;                                                                                  ›› %TMP%\SW_%1.awk
echo.                                                                                                ›› %TMP%\SW_%1.awk
echo ExpireMWord=$1; gsub (/notAfter=/,"",ExpireMonthWord);    ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Jan/) {ExpireM=1} ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Feb/) {ExpireM=2} ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Mar/) {ExpireM=3} ›› %TMP%\SW_%1.awk
echo       if (ExpireMWord ~ /Apr/) {ExpireM=4} ›› %TMP%\SW_%1.awk
echo       if (ExpireMWord ~ /May/) {ExpireM=5} ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Jun/) {ExpireM=6} ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Jul/) {ExpireM=7} ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Aug/) {ExpireM=8} ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Sep/) {ExpireM=9}   ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Oct/) {ExpireM=10} ›› %TMP%\SW_%1.awk
echo if (ExpireMWord ~ /Nov/) {ExpireM=11} ›› %TMP%\SW_%1.awk
echo       if (ExpireMWord ~ /Dec/) {ExpireM=12} ›› %TMP%\SW_%1.awk
echo ExpireD=$2   ›› %TMP%\SW_%1.awk
echo ExpireY=$4   ›› %TMP%\SW_%1.awk
echo.                                                                                                ›› %TMP%\SW_%1.awk
echo ExpireJDY = ExpireY + 4800 - ((14-ExpireM)/12) ›› %TMP%\SW_%1.awk
echo ExpireJDM = ExpireM + 12 * ((14-ExpireM)/12) - 3 ›› %TMP%\SW_%1.awk
echo ExpireJD = ExpireD + (153*ExpireJDM+2)/5 + ExpireJDY*365 + ExpireJDY/4 - 32083     ›› %TMP%\SW_%1.awk
echo if ((TodayJD ^› 2451000) ^&^& (ExpireJD ^› 2451000)) {print ExpireJD-TodayJD}   ›› %TMP%\SW_%1.awk
echo                                        }                                                   ›› %TMP%\SW_%1.awk
nawk -f %TMP%\SW_%1.awk %TMP%\SW_%1.date

@REM ----------END OF BATCH FILE---------------

Monitoring Studio: Monitoring SSL Certificate Expiration Date