Title: SSL Certificate Expiry Warning Script
Author: Alex Kirk
Published: August 14, 2014

---

# SSL Certificate Expiry Warning Script

August 14, 2014

With the increasing trend of SSL on the web, where [Google values SSL sites higher](http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html)
and you can have [your site be added to the HSTS preload list](http://hstspreload.appspot.com/)(
the browser will first try HTTPS before trying HTTP), it is a good idea to start
using SSL yourself.

The downside: you need to get a certificate through a ([pre-trusted by the browser](https://en.wikipedia.org/wiki/Certificate_authority#Providers))
CA, or certificate authority. This usually costs money, though there are [some](https://www.startssl.com/)
[services](http://www.cacert.org/) that give you a certificate for free. The free
certificates only last for one year or less, this means you need to request and 
install a new certificate frequently, especially when you have multiple domains.

Now it can happen to anyone, even Microsoft ([Windows Azure Service Disruption from Expired Certificate](http://azure.microsoft.com/blog/2013/02/24/windows-azure-service-disruption-from-expired-certificate/)),
that you forget to renew (and update) your certificate in time.

There is a nice service called [certalert.me](http://certalert.me/) (interestingly
enough not over HTTPS) that will send you an e-mail when a certificate is due to
be updated. But as with any web service, unfortunately [you can never be sure how long it’s going to live](https://twitter.com/MSch/status/499693548837801985).

So, I have created a script that I run through a cronjob every day that will send
me a notification e-mail several times in advance (1 day and 2 7 14 30 60 days ahead),
so that you are not dependent on a third party to get notified about expiries. As
it is supposed to be with cronjobs, there is no output when there is nothing to 
report (thus no e-mail).

Here is the script ([download warn_about_certificate_expiry.sh](https://alex.kirk.at/dl/warn_about_certificate_expiry.txt?output_format=md)):

    ```
    #!/bin/sh 

    CertExpiries=$(mktemp)
    for i in /etc/certificates/*.pem; do
    	echo $(basename $i): $(openssl x509 -in $i -inform PEM -text -noout -enddate | grep "Not After" | tail -1 | awk '{print $4, $5, $7}') >> $CertExpiries
    done

    Date=$(date -ud "+1 day" | awk '{print $2, $3, $6}')
    Expiries=$(grep "$Date" $CertExpiries)
    if [ $? -eq 0 ]; then 
    	echo These Certificates expire TOMORROW!
    	echo $Expiries
    	echo
    fi
    for i in 2 7 14 30 60; do
    	Date=$(date -ud "+$i day" | awk '{print $2, $3, $6}')
    	Expiries=$(grep "$Date" $CertExpiries)
    	if [ $? -eq 0 ]; then 
    		echo These Certificates expire in $i days:
    		echo $Expiries
    		echo
    	fi
    done
    rm $CertExpiries;
    ```

[linux](https://alex.kirk.at/category/code/linux/)

Read this next

[Guter Zug: @golem launcht “pur”,…](https://alex.kirk.at/2014/08/04/guter-zug-golem-launcht-pur/)

### Leave a Reply 󠀁[Cancel reply](https://alex.kirk.at/2014/08/14/ssl-certificate-expiry-warning-script/?output_format=md#respond)󠁿

Only people in [my network](https://alex.kirk.at/friends/) can comment.

This site uses Akismet to reduce spam. [Learn how your comment data is processed.](https://akismet.com/privacy/)