Saturday, May 4, 2013

OpenSSL Printout of All Certificates and the Expiration Dates

Below is a script that will create two emails. One email will be the expired certificates along with certificate details.  The second email is a list of certificates that are about to expire.
I labeled the yellow to show the use of openssl to get the data off the certs.

The red section is interesting because I spent a decent amount of time working on the math to determine when a certificate is close to expiration.  I completed the script and then learned about the use of openssl and it will print out the days to expiration.  I will write about that in another post.  For now you can use this script as the target script from the CRONTAB.  Everything should work in the ksh.

#!/bin/ksh
# Written by Kevin Castellow to produce a report that includes information on the certificate
# within a designated time frame usually 30 days.
# This report has more functionality than Datapower cert monitoring

#Set environment for CRONTAB
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
HOME=/home/k/kcastell/datapower-mgt/
#files="$HOME/SICerts/*.cer"
files="/vobs/webservices/DataPower/Certs/SI/*.cer"
expired_output="$HOME/Reports/cert_expired_report.txt"
warning_output="$HOME/Reports/cert_warning_report.txt"
manifest_output="$HOME/Reports/certificate_manifest_report.txt"
#email="kevin.castellow@workintel.com"
email="soapolicymgmt@workintel.com"
rm $expired_output
rm $warning_output

#Set variables for Script
openssl_command="openssl x509 -noout -in"
cert_attributes="-issuer -subject -dates -email"
month=$(date +%m)
day=$(date +%d)
year=$(date +%Y)
x=0
y=0
z=0

print "\nToday's Date is" $month $day $year|tee -a $expired_output $warning_output $manifest_output
for certificate in $files
do
    #creates variable of end_date from each certificate in format notAfter=Jan 21 18:51:22 2028 GMT
     #print "Analyzing certificate file" $certificate
     end_date=$(echo | openssl x509 -noout -in ${certificate} -enddate)
     cert_data=$(echo | openssl x509 -noout -in ${certificate} -issuer -subject -dates -email)
     cert_exp=${end_date#notAfter=}

     cmonth=$(echo ${cert_exp} | cut -f1 -d' ')
     cdate=$(echo ${cert_exp} | cut -f2 -d' ')
     cyear=$(echo ${cert_exp} | cut -f4 -d' ')
     #print "Current certificate expiring on this day," $cmonth $cdate $cyear
   case $cmonth in
             Jan)
               certmonth=1;;
             Feb)
               certmonth=2;;
             Mar)
               certmonth=3;;
             Apr)
               certmonth=4;;
             May)
               certmonth=5;;
             Jun)
               certmonth=6;;
             Jul)
               certmonth=7;;
             Aug)
               certmonth=8;;
             Sep)
               certmonth=9;;
             Oct)
               certmonth=10;;
             Nov)
               certmonth=11;;
             Dec)
               certmonth=12;;
             *)
               certmonth=Error:;
esac
let monthplus=month+2
let monthdiff=month-certmonth
let yearplus=year+1
total_files=$(ls -l $files | wc -l)


if (( (certmonthcyear)));
 then
 print "####################################################\nAnalyzing certificate file $certificate\nEXPIRED EXPIRED EXPIRED EXPIRED\n$cert_data\n">>$expired_output
 let z=z+1
else
if (( (certmonth<= monthplus && year==cyear) || (monthdiff==10 && cyear==yearplus) || (monthdiff==11 && cyear==yearplus) ));
then
print "*****************************************************\nAnalyzing certificate file $certificate\nCurrent certificate expiring on this day," $cmonth $cdate $cyear "EXPIRING SOON! EXPIRING SOON!\n$cert_data \n">>$warning_output
let x=x+1
else #print "Not Expiring.\n"
let y=y+1
fi
fi
done
print "Number of files scanned=$total_files\nNumber of valid certificates=$y"|tee -a $expired_output $warning_output $manifest_output
print "Number of expiring certificates in report=$x"|tee -a $warning_output $manifest_output
print "Number of expired certificates in report=$z"|tee -a $expired_output $manifest_output

cat $expired_output|mailx -s "EXPIRED CERT REPORT FOR SI" $email
cat $warning_output|mailx -s "CERTIFICATE WARNING REPORT FOR SI" $email

No comments: