Digital Certificate Expiration Utility

Digital Certificate Expiration Utility

Post by Matt » Mon, 16 Aug 2004 08:53:34



Howdy,

Over the years, I have worked in numerous environments were an expired
digital certificate led to system outages, and user confusion. I decided
to write a tool to deal with this issue, and describe it's usage in this
months (September) issue of SysAdmin. The utility can be run to produce
certificate expiration info for a single ssl-enabled service, or given a
file with a list of domains:

$ ./ssl-cert-check -s mail.daemons.net -p 443

Host                           Status   Expires              Days Left
mail.daemons.net:443           Valid    May 24 2005          282

$ cat ssldomains
mail.daemons.net 443
www.blatch.com 443

$ ./ssl-cert-check -b -f ssldomains

Host                           Status   Expires              Days Left
mail.daemons.net:443           Valid    May 24 2005          282
www.blatch.com:443             Down     ?                    ?

There is email integration to remind you electronically when
certificates are about to expire, and a quiet mode to allow easy
integration with cron.  ssl-cert-check is licensed under the GPL,
and can be downloaded at:

http://www.daemons.net/~matty/code/ssl-cert-check

Please let me know if you run into problems or bugs.

Thanks,
- Ryan

 
 
 

Digital Certificate Expiration Utility

Post by ps » Tue, 17 Aug 2004 02:53:03



9:58 AM:

Quote:> If people are too stupid to read the email from the issuer, how will that
> help? You already get warnings from the issuer of the cert.

It's not a matter of people being stupid, it's being proactive and knowing
when your own certs expire, not relying on someone else to do your job.
Maybe they'll send you an e-mail, maybe they won't. I'd prefer to control my
own destiny rather then explain to management that our VPN and SSL sites are
down because wah, Thawte never reminded me.

 
 
 

Digital Certificate Expiration Utility

Post by Colin McKinno » Tue, 17 Aug 2004 05:48:33


ps spilled the following:


> 8/15/04 9:58 AM:

>> If people are too stupid to read the email from the issuer, how will that
>> help? You already get warnings from the issuer of the cert.

> It's not a matter of people being stupid, it's being proactive and knowing
> when your own certs expire, not relying on someone else to do your job.
> Maybe they'll send you an e-mail, maybe they won't. I'd prefer to control
> my own destiny rather then explain to management that our VPN and SSL
> sites are down because wah, Thawte never reminded me.

Yeah, but there are so many other things which need to happen at specific
times throughout the life of any sort of enterprise (DNS expiry, time to
replace hard disks, renew passwords...), surely it's a better idea to have
a proper diarying system which can address all of them than a program which
only fixes one.

C.

 
 
 

Digital Certificate Expiration Utility

Post by ps » Tue, 17 Aug 2004 04:58:13




8/15/04 1:48 PM:

> ps spilled the following:


>> 8/15/04 9:58 AM:

>>> If people are too stupid to read the email from the issuer, how will that
>>> help? You already get warnings from the issuer of the cert.

>> It's not a matter of people being stupid, it's being proactive and knowing
>> when your own certs expire, not relying on someone else to do your job.
>> Maybe they'll send you an e-mail, maybe they won't. I'd prefer to control
>> my own destiny rather then explain to management that our VPN and SSL
>> sites are down because wah, Thawte never reminded me.

> Yeah, but there are so many other things which need to happen at specific
> times throughout the life of any sort of enterprise (DNS expiry, time to
> replace hard disks, renew passwords...), surely it's a better idea to have
> a proper diarying system which can address all of them than a program which
> only fixes one.

> C.

Probably. You're simply agreeing with my point that it's better to keep
track of such expiries yourself rather than relying on someone else.
 
 
 

Digital Certificate Expiration Utility

Post by Matt » Tue, 17 Aug 2004 07:42:04



> If people are too stupid to read the email from the issuer, how will that
> help? You already get warnings from the issuer of the cert.

The script wasn't developed to deal with ignorance, it was designed
to help folks deal with certificate expiration issues. Public CA
"notification" intervals aren't configurable, ssl-cert-check is.
 
 
 

Digital Certificate Expiration Utility

Post by Matt » Tue, 17 Aug 2004 07:44:23



> ps spilled the following:


>>8/15/04 9:58 AM:

>>>If people are too stupid to read the email from the issuer, how will that
>>>help? You already get warnings from the issuer of the cert.

>>It's not a matter of people being stupid, it's being proactive and knowing
>>when your own certs expire, not relying on someone else to do your job.
>>Maybe they'll send you an e-mail, maybe they won't. I'd prefer to control
>>my own destiny rather then explain to management that our VPN and SSL
>>sites are down because wah, Thawte never reminded me.

> Yeah, but there are so many other things which need to happen at specific
> times throughout the life of any sort of enterprise (DNS expiry, time to
> replace hard disks, renew passwords...), surely it's a better idea to have
> a proper diarying system which can address all of them than a program which
> only fixes one.

My goal was dealing with one specific issue. I am pretty sure there is
software to handle the other issues you mentioned.
 
 
 

Digital Certificate Expiration Utility

Post by MD » Wed, 08 Sep 2004 23:04:25


Managing a large number of certs for other people, it will be helpful
to be able to quickly probe all their sites actively without human
intervention, as the 30-day reminder can often not be long enough once
you get involved in the process of billing, invoicing, etc, etc, when
things move like treacle flowing downhill. I'd prefer not to pay for a
customer's renewal myself and then try claiming back the money.

We could rely on purchasing records, but this is a lot easier.

So, thanks for that, I think it'll be useful.

--

Regards,

Mark Davies

 
 
 

1. Digital Rights Management - An idea (limited lease, renting, expiration, verification) NON HARDWARE BASED.

 Hmm.. I have no problem making it so that Abandonware software is autmatically
 decrypted, however that means a master key system :) and thats a no no in
our GPL world. The key would just me used by everybody :) LOL.

--
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. Telneting

3. Digital Rights Management - An idea (limited lease, renting, expiration, verification) NON HAR*D*WARE BASED.

4. Uninstalling LILO

5. Digital Rights Management - An idea (limited lease, renting, expiration, verification) NON HARWARE BASED.

6. Please help me with NFS timeout problem.

7. Digital Certificates

8. partition magic; help requested...

9. pgp and digital certificate

10. How to create my own digital certificate

11. solicit advice on purchase of digital certificate

12. Netscape servers, digital certificates & access control

13. W2Knews: MS Digital Certificates Compromised