https://github.com/jaymzh/check_x509
A healthcheck script for certificates
https://github.com/jaymzh/check_x509
Last synced: 9 months ago
JSON representation
A healthcheck script for certificates
- Host: GitHub
- URL: https://github.com/jaymzh/check_x509
- Owner: jaymzh
- License: other
- Created: 2019-08-18T19:18:11.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2023-04-03T07:29:20.000Z (over 3 years ago)
- Last Synced: 2025-10-06T07:54:09.502Z (9 months ago)
- Language: Perl
- Homepage:
- Size: 18.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: COPYING
Awesome Lists containing this project
README
# check_x509
`check_x509` is a script to check the validity of various x509 entities.
Currently it checks certificates and CRLs for expiration. In the future it'll
likely check for valid CA signatures and other things.
`check_x509` was written to fit in well with nagios/nrpe and similar monitoring
infrastructures, but also to be an easy-to-use command line utility for
checking x509 entities as well as for easy use in cron or other scripts.
## Usage
Your best bet is to read the POD documentation and the --help option, but the
simple invocations are:
```
check_x509 --certificate /path/to/cert.crt --cert-form PEM --warn 4w \
--crit 2w -v
```
Notice the `-v` option. It's the most useful way to run it interactively, but is
too noisy when being used as a plugin to something like Nagios. Another
example would be:
```
check_x509 --crl /path/to/crl.crt --crl-form DER --warn 4w --crit 2w -v
```
To check a CRL instead of a certificate.
`check_x509` also supports bundles of PEM-encoded certificates or CRLs.
## Config file
`check_x509`'s configuration file is YAML. I find YAML to be great for config
files because it's a natural way to represent arbitrary hierarchical data. It
does take a few minutes to get used to, but the quick version is:
* key-values are:
```
foo: var
```
* arrays are:
```
- foo
- var
```
* hashes are:
```
something:
foo: bar
baz: bat
```
As you can see, nesting is trivial. If you don't understand, don't worry,
is a complete example config file included in the distribution to help you.
`check_x509` attempts to be a one-stop shop for checking all X509 entities on a
box in one step (if you want it to be). In order to do that right, that means
`check_x509` supports per-entity thresholds.
## A note on bundles
`check_x509` handles bundles of both certificates and CRLs. This is useful for
bundles that apache, openssl, or other software may need. When handling this,
`check_x509` will check each entity in the bundle and report on the bundle as a
whole. In verbose mode, the expiration for each object in the bundle will be
printed, but only the most sever status is actually used.
- Phil Dibowitz
http://www.phildev.net/check_x509/