Linux 如何从 PEM 编码的证书中确定 SSL 证书的到期日期?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21297853/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to determine SSL cert expiration date from a PEM encoded certificate?
提问by GL2014
If I have the actual file and a Bash shell in Mac or Linux, how can I query the cert file for when it will expire? Not a web site, but actually the certificate file itself, assuming I have the csr, key, pem and chain files.
如果我在 Mac 或 Linux 中有实际文件和 Bash shell,我如何查询证书文件的到期时间?不是网站,而是证书文件本身,假设我有 csr、密钥、pem 和链文件。
采纳答案by that other guy
With openssl:
与openssl:
openssl x509 -enddate -noout -in file.pem
The output is on the form:
输出格式如下:
notAfter=Nov 3 22:23:50 2014 GMT
Also see MikeW's answerfor how to easily check whether the certificate has expired or not, or whether it will within a certain time period, without having to parse the date above.
另请参阅MikeW 的答案,了解如何轻松检查证书是否已过期,或者是否会在特定时间段内过期,而无需解析上面的日期。
回答by MikeW
If you just want to know whether the certificate has expired (or will do so within the next N seconds), the -checkend <seconds>option to openssl x509will tell you:
如果您只想知道证书是否已过期(或将在接下来的 N 秒内过期),-checkend <seconds>选项openssl x509将告诉您:
if openssl x509 -checkend 86400 -noout -in file.pem
then
echo "Certificate is good for another day!"
else
echo "Certificate has expired or will do so within 24 hours!"
echo "(or is invalid/not found)"
fi
This saves having to do date/time comparisons yourself.
这样就不必自己进行日期/时间比较。
opensslwill return an exit code of 0(zero) if the certificate has not expired and will not do so for the next 86400 seconds, in the example above. If the certificate will have expired or has already done so - or some other error like an invalid/nonexistent file - the return code is 1.
openssl0如果证书没有过期并且在接下来的 86400 秒内不会过期,则将返回(零)退出代码,在上面的示例中。如果证书已过期或已经过期 - 或其他一些错误,如无效/不存在的文件 - 返回代码为1.
(Of course, it assumes the time/date is set correctly)
(当然,它假设时间/日期设置正确)
回答by Nicholas Sushkin
Here's my bash command line to list multiple certificates in order of their expiration, most recently expiring first.
这是我的 bash 命令行,用于按到期顺序列出多个证书,最近到期的最先。
for pem in /etc/ssl/certs/*.pem; do
printf '%s: %s\n' \
"$(date --date="$(openssl x509 -enddate -noout -in "$pem"|cut -d= -f 2)" --iso-8601)" \
"$pem"
done | sort
Sample output:
示例输出:
2015-12-16: /etc/ssl/certs/Staat_der_Nederlanden_Root_CA.pem
2016-03-22: /etc/ssl/certs/CA_Disig.pem
2016-08-14: /etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_S.pem
回答by Donald.M
For MAC OSX (El Capitan) This modification of Nicholas' example worked for me.
对于 MAC OSX (El Capitan) 这种对 Nicholas 示例的修改对我有用。
for pem in /path/to/certs/*.pem; do
printf '%s: %s\n' \
"$(date -jf "%b %e %H:%M:%S %Y %Z" "$(openssl x509 -enddate -noout -in "$pem"|cut -d= -f 2)" +"%Y-%m-%d")" \
"$pem";
done | sort
Sample Output:
示例输出:
2014-12-19: /path/to/certs/MDM_Certificate.pem
2015-11-13: /path/to/certs/MDM_AirWatch_Certificate.pem
macOS didn't like the --date=or --iso-8601flags on my system.
macOS 不喜欢我系统上的--date=或--iso-8601标志。
回答by Andrew
Here's a bash function which checks all your servers, assuming you're using DNS round-robin. Note that this requires GNU date and won't work on Mac OS
这是一个 bash 函数,它检查您的所有服务器,假设您使用的是 DNS 循环。请注意,这需要 GNU 日期并且不适用于 Mac OS
function check_certs () {
if [ -z "" ]
then
echo "domain name missing"
exit 1
fi
name=""
shift
now_epoch=$( date +%s )
dig +noall +answer $name | while read _ _ _ _ ip;
do
echo -n "$ip:"
expiry_date=$( echo | openssl s_client -showcerts -servername $name -connect $ip:443 2>/dev/null | openssl x509 -inform pem -noout -enddate | cut -d "=" -f 2 )
echo -n " $expiry_date";
expiry_epoch=$( date -d "$expiry_date" +%s )
expiry_days="$(( ($expiry_epoch - $now_epoch) / (3600 * 24) ))"
echo " $expiry_days days"
done
}
Output example:
输出示例:
$ check_certs stackoverflow.com
151.101.1.69: Aug 14 12:00:00 2019 GMT 603 days
151.101.65.69: Aug 14 12:00:00 2019 GMT 603 days
151.101.129.69: Aug 14 12:00:00 2019 GMT 603 days
151.101.193.69: Aug 14 12:00:00 2019 GMT 603 days
回答by Attila123
If (for some reason) you want to use a GUI application in Linux, use gcr-viewer(in most distributions it is installed by the package gcr(otherwise in package gcr-viewer))
如果(出于某种原因)您想在 Linux 中使用 GUI 应用程序,请使用gcr-viewer(在大多数发行版中它由包安装gcr(否则在包中gcr-viewer))
gcr-viewer file.pem
# or
gcr-viewer file.crt
回答by Alexey
One line checking on true/false if cert of domain will be expired in some time later(ex. 15 days):
如果域证书将在一段时间后过期(例如 15 天),则一行检查真/假:
if openssl x509 -checkend $(( 24*3600*15 )) -noout -in <(openssl s_client -showcerts -connect may.domain.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM)
then
echo 'good'
else
echo 'bad'
fi
回答by Srihari Karanth
Same as accepted answer, But note that it works even with .crtfile and not just .pemfile, just in case if you are not able to find .pemfile location.
与接受的答案相同,但请注意,它甚至适用于.crt文件,而不仅仅是.pem文件,以防万一您无法找到.pem文件位置。
openssl x509 -enddate -noout -in e71c8ea7fa97ad6c.crt
Result:
结果:
notAfter=Mar 29 06:15:00 2020 GMT
