On Wed, Nov 11, 2009 at 12:20:31PM +0100, Jonathan Petersson wrote: > As it's doing this you can trigger a client-connect script to retrieve > the "Validity Not After" data from the client-cert (if you have a > local copy on the server) if the time-frame is out of realms trigger > sendmail or preferable mail-daemon to send an email to you or the user > notifying about renewing the certificate.
This does not really work afaics, because there are several certificates with the same common name but overlapping validity timeframes to allow users to seamlessy update their certificate. So the tls-verify script does not know, whether the certificate that expires in two weeks is used or the one that still lasts a year. Regards Till
pgp2qder63tCw.pgp
Description: PGP signature