Check Certificate Expiration Perl Script

1 Likes
over 12 years ago

The script will report if a certificate is expired, if it expires today, or if it will expire within a month.
This only reports the problem certificates in your eDir tree, and if they are all good, then nothing is returned.

 

I use Net::LDAP and Date::Manip in the perl script. The corresponding packages on SLES are:

 

    • perl
    • perl-DateManip
    • perl-ldap



The options needed for the script to run are:

checkcerts.pl LDAP-IP-or-DNS-name Bind-DN Bind-password


Example:

checkcerts.pl 10.20.30.40 cn=admin,o=novell novell


The user that is used for this script only needs to have the following rights:


Entry: Browse, Inherit (for the entire tree)

Attribute: ObjectClass & ndspkinotafter - Read, Compare, Inherit


The easiest way to use this script would be to create a cron job on one server that runs once a week.

An example for the script results to be emailed to idmadmins:

/usr/local/bin/checkcerts.pl 10.20.30.40 cn=admin,o=novell password | mail -s "Certificate Expiration Report for `date -I`" -r certreport@mydomain.com idmadmins@mydomain.com


You would need to create a job for each tree you want to monitor.


The following example would run against the 10.20.30.40 tree at 1:00AM every Saturday:

0 1 * * 6  /usr/local/bin/checkcerts.pl 10.20.30.40 cn=admin,o=novell password | nail -s "Certificate Expiration Report for `date -I`" -r certreport@mydomain.com idmadmins@mydomain.com

 

#!/usr/bin/perl -w
use Net::LDAP;
use POSIX qw(strftime);
use Date::Manip;

$argc = $#ARGV + 1;
if ($argc != 3) { die "checkcerts.pl LDAPURI binduser bindpwd"; }
$ldap = Net::LDAP->new( $ARGV[0]) or die "$@";
$mesg = $ldap->bind( $ARGV[1], password => $ARGV[2] );
$mesg = $ldap->search( base => "", filter => "(objectclass=ndspkikeymaterial)" );
$mesg->code && die $mesg->error;
$currenttime = strftime("%Y%m%d", localtime());
$currtime = &ParseDate($currenttime);
$currtimeplus = &DateCalc($currtime, "1 month");

my @entries = $mesg->entries;
 my $entr;
 foreach $entr ( @entries ) {
   my $attr="ndspkinotafter";
   $certdate = substr($entr-> get_value ( $attr ), 0, 8 );
   $crtdate = &ParseDate($certdate);
   $dateresult = &Date_Cmp($currtime,$crtdate);
   $futuredateresult = &Date_Cmp($currtimeplus,$crtdate);
   if ( $dateresult < 0 ) {
         if ( $futuredateresult < 0 ) {
#             print "The certificate ", $entr->dn, " is valid.\n";
          } else {
             print "The certificate ", $entr->dn, " will expire within a month.\n"
          }
   } elsif ($dateresult==0) {
         print "The certificate ", $entr->dn, " expires today.\n";
   } else {
         print "The certificate ", $entr->dn, " has already expired.\n";
   } 
 }
$mesg = $ldap->unbind;
 

Tags:

Labels:

Collateral
Support Tip
Comment List
Anonymous
Related Discussions
Recommended