> On Sep 13, 2017, at 3:43 PM, Łukasz Wąsikowski <luk...@wasikowski.net> wrote:
>
>> See below for OpenSSL 1.0.2 or later. Earlier versions don't
>> have the "-verify_hostname" option, you can delete it if you
>> like, and omit that part of the certificate check, in which
>> case the code will also work for OpenSSL 1.0.1 and earlier
>> (which are EOL).
>
> https://github.com/matteocorti/check_ssl_cert works great. I'm using it
> to check my local / remote HTTP/SMTP/IMAP certificate expiry dates.
That's certainly a lot more features. I can't easily verify that
all the checks are correct in a script of that size, so caveat
emptor.
Its expiration time verification is based in parsing certificate
dates rather than asking "openssl verify" to do a future verification.
This is less robust, because it can miss expiration of intermediate
certificates, when they happen to expire before the leaf certificate
(perhaps a failure to install the most recent intermediate issuer).
My short script certainly won't come close to matching that Swiss-
army-knife on features, but it may do the one thing that it does
more correctly.
--
Viktor.
