.\" Process this file with .\" groff -man -Tascii foo.1 .\" .TH "check_ssl_cert" 1 "December, 2016" "1.37.0" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS .BR "check_ssl_cert " "-H host [OPTIONS]" .SH DESCRIPTION .B check_ssl_cert A Nagios plugin to check an X.509 certificate: - checks if the server is running and delivers a valid certificate - checks if the CA matches a given pattern - checks the validity .SH ARGUMENTS .TP .BR "-H,--host" " host" server .SH OPTIONS .TP .BR "-A,--noauth" ignore authority warnings (expiration only) .TP .BR " --altnames" matches the pattern specified in -n with alternate names too .TP .BR "-C,--clientcert" " path" use client certificate to authenticate .TP .BR " --clientpass" " phrase" set passphrase for client certificate. .TP .BR "-c,--critical" " days" minimum number of days a certificate has to be valid to issue a critical status .TP .BR "-d,--debug" produces debugging output .TP .BR " --ecdsa" cipher selection: force ECDSA authentication .TP .BR "-e,--email" " address" pattern to match the email address contained in the certificate .TP .BR "-f,--file" " file" local file path (works with -H localhost only) .TP .BR " --file-bin" " path" path of the file binary to be used" .TP .BR "-h,--help,-?" this help message .TP .BR " --ignore-exp" ignore expiration date .TP .BR " --ignore-sig-alg" do not check if the certificate was signed with SHA1 or MD5 .TP .BR " --ignore-ocsp" do not check revocation with OCSP .TP .BR "-i,--issuer" " issuer" pattern to match the issuer of the certificate .TP .BR "-L,--check-ssl-labs grade" SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html) .TP .BR " --ignore-ssl-labs-cache" Forces a new check by SSL Labs (see -L) .TP .BR " --long-output" " list" append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines. Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes. .TP .BR "-n,---cn" " name" pattern to match the CN of the certificate (can be specified multiple times) .TP .BR " --no_ssl2" disable SSL version 2 .TP .BR " --no_ssl3" disable SSL version 3 .TP .BR " --no_tls1" disable TLS version 1 .TP .BR " --no_tls1_1" disable TLS version 1.1 .TP .BR " --no_tls1_2" disable TLS version 1.2 .TP .BR "-N,--host-cn" match CN with the host name .TP .BR "-o,--org" " org" pattern to match the organization of the certificate .TP .BR " --openssl" " path" path of the openssl binary to be used .TP .BR "-p,--port" " port" TCP port .TP .BR "-P,--protocol" " protocol" use the specific protocol: http (default), irc or smtp,pop3,imap,ftp (switch to TLS) .TP .BR "-s,--selfsigned" allows self-signed certificates .TP .BR " --serial serialnum" pattern to match the serial number .TP .BR " --ssl2" force SSL version 2 .TP .BR " --ssl3" force SSL version 3 .TP .BR "-r,--rootcert" " cert" root certificate or directory to be used for certficate validation (passed to openssl's -CAfile or -CApath) .TP .BR " --rsa" cipher selection: force RSA authentication .TP .BR "-t,--timeout" seconds timeout after the specified time (defaults to 15 seconds) .TP .BR " --temp" " dir" directory where to store the temporary files .TP .BR " --tls1" force TLS version 1 .TP .BR "-v,--verbose" verbose output .TP .BR "-V,--version" version .TP .BR "-w,--warning" " days" minimum number of days a certificate has to be valid to issue a warning status .SH DEPRECATED OPTIONS .TP .BR "-d,--days" " days" minimum number of days a certificate has to be valid (see --critical and --warning) .TP .BR " --ocsp" check revocation via OCSP .TP .BR "-S,--ssl" " version" force SSL version (2,3) (see: --ss2 or --ssl3) .SH MULTIPLE CERTIFICATES If the host has multiple certificates and the installed openssl version supports the -servername option it is possible to specify the TLS SNI (Server Name Idetificator) with the -N (or --host-cn) option. .SH "SEE ALSO" x509(1), openssl(1), expect(1), timeout(1) .SH "EXIT STATUS" check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems .SH BUGS Please report bugs to: Matteo Corti (matteo (at) corti.li ) .SH AUTHOR Matteo Corti (matteo (at) corti.li ) See the AUTHORS file for the complete list of contributors