table of contents
other versions
- bullseye 35.20210511
- bullseye-backports 37.20211217~bpo11+1
- testing 37.20211217
- unstable 37.20211217
| check_ssl_cert(1) | USER COMMANDS | check_ssl_cert(1) |
NAME¶
check_ssl_cert - checks the validity of X.509 certificates
SYNOPSIS¶
check_ssl_cert -H host [OPTIONS]
DESCRIPTION¶
check_ssl_cert A Nagios plugin to check an X.509
certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
ARGUMENTS¶
- -H,--host host
- server
OPTIONS¶
- -A,--noauth
- ignore authority warnings (expiration only)
- --altnames
- matches the pattern specified in -n with alternate names too
- -C,--clientcert path
- use client certificate to authenticate
- --clientpass phrase
- set passphrase for client certificate.
- -c,--critical days
- minimum number of days a certificate has to be valid to issue a critical status
- --curl-bin path
- path of the curl binary to be used
- --curl-user-agentstring
- user agent that curl shall use to obtain the issuer cert
- -d,--debug
- produces debugging output
- --ecdsa
- cipher selection: force ECDSA authentication
- -e,--email address
- pattern to match the email address contained in the certificate
- -f,--file file
- local file path (works with -H localhost only) with -f you can not only pass a x509 certificate file but also a certificate revocation list (CRL) to check the validity period
- --file-bin path
- path of the file binary to be used
- --fingerprint SHA1
- pattern to match the SHA1-Fingerprint
- --force-perl-date
- force the usage of Perl for date computations
- --format FORMAT
- custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'")
- -h,--help,-?
- this help message
- --http-use-get
- use GET instead of HEAD (default) for the HTTP related checks
- --ignore-exp
- ignore expiration date
- --ignore-ocsp
- do not check revocation with OCSP
- --ignore-sig-alg
- do not check if the certificate was signed with SHA1 or MD5
- --ignore-ssl-labs-cache
- Forces a new check by SSL Labs (see -L)
- --issuer-cert-cache dir
- directory where to store issuer certificates cache
- -i,--issuer issuer
- pattern to match the issuer of the certificate
- -K,--clientkey path
- use client certificate key to authenticate
- -L,--check-ssl-labs grade
- SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)
- --check-ssl-warn-labs grade
- SSL Labs grade on which to warn
- --long-output list
- append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines. Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
- -n,--cn name
- pattern to match the CN of the certificate (can be specified multiple times)
- --no_ssl2
- disable SSL version 2
- --no_ssl3
- disable SSL version 3
- --no_tls1
- disable TLS version 1
- --no_tls1_1
- disable TLS version 1.1
- --no_tls1_3
- disable TLS version 1.3
- --no_tls1_2
- disable TLS version 1.2
- -N,--host-cn
- match CN with the host name
- --ocsp-critical hours
- minimum number of hours an OCSP response has to be valid to issue a critical status
- --ocsp-warning hours
- minimum number of hours an OCSP response has to be valid to issue a warning status
- -o,--org org
- pattern to match the organization of the certificate
- --openssl path
- path of the openssl binary to be used
- -p,--port port
- TCP port
- -P,--protocol protocol
- use the specific protocol: ftp, ftps, http (default), imap, imaps, irc,
ircs, ldap, ldaps, pop3, pop3s, smtp, smtps, xmpp.
These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, pop3, smtp. - -s,--selfsigned
- allows self-signed certificates
- --serial serialnum
- pattern to match the serial number
- --sni name
- sets the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'
- --ssl2
- force SSL version 2
- --ssl3
- force SSL version 3
- --require-ocsp-stapling
- require OCSP stapling
- --require-san
- require the presence of a Subject Alternative Name extension
- -r,--rootcert cert
- root certificate or directory to be used for certificate validation (passed to openssl's -CAfile or -CApath)
- --rootcert-dir dir
- root directory to be used for certificate validation (passed to openssl's -CApath) overrides option -r,--rootcert
- --rootcert-file cert
- root certificate to be used for certificate validation (passed to openssl's -CAfile) overrides option -r,--rootcert
- --rsa
- cipher selection: force RSA authentication
- --temp dir
- directory where to store the temporary files
- --terse
- terse output (also see --verbose)
- -t,--timeout
- seconds timeout after the specified time (defaults to 15 seconds)
- --tls1
- force TLS version 1
- --tls1_1
- force TLS version 1.1
- --tls1_2
- force TLS version 1.2
- --tls1_3
- force TLS version 1.3
- -v,--verbose
- verbose output (also see --terse)
- -V,--version
- version
- -w,--warning days
- minimum number of days a certificate has to be valid to issue a warning status
- --xmpphost name
- specifies the host for the "to" attribute of the stream element
- -4
- forces IPv4
- -6
- forces IPv6
DEPRECATED OPTIONS¶
- -d,--days days
- minimum number of days a certificate has to be valid (see --critical and --warning)
- --ocsp
- check revocation via OCSP
- -S,--ssl version
- force SSL version (2,3) (see: --ssl2 or --ssl3)
MULTIPLE CERTIFICATES¶
If the host has multiple certificates and the installed openssl version supports the -servername option it is possible to specify the TLS SNI (Server Name Idetificator) with the -N (or --host-cn) option.
SEE ALSO¶
EXIT STATUS¶
check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems
BUGS¶
Please report bugs to:
AUTHOR¶
Matteo Corti (matteo (at) corti.li ) See the AUTHORS file for the complete list of contributors
| October, 2019 | 1.98.0 |