xgyrfalconx2022-03-10 17:00:10
xgyrfalconx, 2022-03-10 17:00:10

How to check the expiration date of all site certificates?

Good afternoon, please tell me, is it possible to display the dates of all site certificates using openssl?
At the moment I'm using

echo | openssl s_client -servername yandex.ru -connect yandex.ru:443 | openssl x509 -dates -nocert

But it displays the start and end date only for the yandex.ru certificate, and I want to see the dates of Yandex CA and Certum Trusted Network CA.

depth=2 C = PL, O = Unizeto Technologies SA, OU = Certum Certification Authority, CN = Certum Trusted Network CA
verify return:1
depth=1 C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA
verify return:1
depth=0 C = RU, L = Moscow, OU = ITO, O = Yandex LLC, CN = yandex.ru
verify return:1
notBefore=Feb 17 07:32:21 2022 GMT
notAfter=Aug 16 00 :00:00 2022 GMT

You can find out the dates if you save each certificate from the chain into separate files and call it. But I would not want to save them all the time.
openssl x509 -in yandex.pem -dates -noout

Answer the question

In order to leave comments, you need to log in

2 answer(s)
xgyrfalconx, 2022-03-23

In general, I found the solution myself, the meaning of the script is to get each certificate separately and call "openssl x509" for each separately, if this helps someone in the future, I'll leave my python script here:


import re
import datetime
import sys
import traceback
from subprocess import PIPE, Popen, DEVNULL

def get_cert_dates(hostname):
        result = []
        certs = Popen('sudo openssl s_client -showcerts -verify_quiet -servername {0} -connect {0}:443'.format(hostname), shell=True,
                      stdout=PIPE, stdin=DEVNULL, stderr=PIPE).stdout.read().decode('utf-8')
        pattern = r'(-----BEGIN CERTIFICATE-----[\D\d]*?-----END CERTIFICATE-----)'
        for cert in re.findall(pattern, certs):
            data = Popen('echo "{}" |sudo openssl x509 -subject -dates -noout'.format(cert), shell=True, stdout=PIPE,
            subject = re.search(r'CN\s*=\s*([\D\d]*?$)',
                                data[0]).group(1).strip().replace(' ', '_').replace("'", '')
            expiry_dt = datetime.datetime.strptime(re.search(r'notAfter\s*=\s*([\D\d]*?$)', data[2]).group(1),
                                                   '%b %d %H:%M:%S %Y %Z')
            expiry_ts = int(datetime.datetime.timestamp(expiry_dt))
            end = expiry_ts - int(datetime.datetime.timestamp(datetime.datetime.now()))
            result.append({'subject': subject, 'expiry_dt': expiry_dt, 'expiry_ts': expiry_ts, 'end': end})
        return result


Dmitry, 2022-03-10

I use this script - https://github.com/Matty9191/ssl-cert-check , runs through the list of sites, generates an alert if the deadline is right.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question