Bi-monthly SSL certificate update
About once every other month I’ve accumulated a list of SSL certificates that must be renewed. Now; all experience has show that it’s a good idea to verify that the service in question is actually using the renewed certificate. I’ve updated the wrong configuration file; I’ve forgotten to restart services to re-read the certificate and I’ve had services claiming to have read the new configuration, but in reality still running with the old certificate. As a result I’ve picked up the habit of always checking that the new certificate is actually the one being used. For HTTPS this is simple enough; all browsers I use have a really simple way of checking the expiry date of a site certificate. But what about when you’re using SMTPS, IMAPS or POP3S (or SMTP, IMAP or POP3 with STARTTLS). I know there’s a way, but I always forget, and have to ask Google. Well; not any more: Here’s how to fetch the certificate for such services:
IMAPS
echo | \ openssl s_client -connect imap.example.com:993 -crlf 2>&1 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert
IMAP with STARTTLS
echo | \ openssl s_client -starttls imap -connect imap.example.com:143 -crlf 2>&1 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert
POP3S
echo | \ openssl s_client -connect pop3.example.com:995 -crlf 2>&1 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert
POP3 with STARTTLS
echo | \ openssl s_client -starttls pop3 -connect pop3.example.com:110 -crlf 2>&1 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert
SMTPS
echo | \ openssl s_client -connect smtp.example.com:465 -crlf 2>&1 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert
SMTP with STARTTLS
echo | \ openssl s_client -starttls smtp -connect smtp.example.com:587 -crlf 2>&1 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert
Once you’ve got the certificate (the above commands will store it in a file named cert in the current working directory) use the following command to extract the expiry date:
openssl x509 -in cert -noout -enddate
Sample output
notAfter=May 13 21:22:55 2012 GMT
Simple as that…
Categorie: Blog, Tags: SSL
Updated at 2011-04-15 by Bob, write at 2011-03-14 by Bob | Log in