2 min read
Find certificate files that will expire soon and create a csr
The certificate expiration period should be kept as short as possible in a public key infrastructure. But the cost of resigning certificates must not be too high. This trade off causes a lot of problems. Every now and then a certificate expires without anybody noticing it or the same certificate is used for 10 years, which is obviously a security risk. In order to avoid this problem you either use Let’s Encrypt or another fully automated certificate management system. If this is not available you must know at least which certificates are going to expire soon.
In my case I had a project with multiple certificate and dynamically built key stores. I had to find the certificates in the project folder structure that expire soon and need to be resigned. In order to automate this process I’ve built the following bash script.
# look for certificates that will expire before this date maxage="2018-12-31" # create numeric date from max age intmaxage=$(date -d $maxage +%s) # search for all pem files in current folder for certfile in $(find ./ -name *.pem); do # filter files by certificates if [[ "$certfile" == *certificate.pem ]] then # extract the not after date string noafter=$(openssl x509 -in $certfile -text -noout | grep 'Not After :' | cut -d':' -f2- | sed 's/ //') # convert it to a date value date=$(date --date="$noafter" "+%b %d %H:%M:%S %Y GMT") # convert date value to a numeric date intdate=$(date --date="$date" +%s) # set the key file keyfile=$(echo $certfile | sed 's/certificate.pem/key.pem/') # create csr file variable csrfile=$(basename $certfile | sed 's/certificate.pem/.csr/') # create new csr openssl req -out ~/$csrfile -key $keyfile -new # check if certificate expires before the max age if [[ $intdate -le $intmaxage ]] then # confirm the creation of the csr and provide meta information echo "A csr file: $csrfile" echo "for the certificate: $certfile" echo "with key file: $keyfile" echo "has been create as it will expire soon at: $date" echo "" fi fi done
Tags: bash , openssl
Improve this page
Show statistic for this page