|
|
@@ -0,0 +1,74 @@
|
|
|
+#!/bin/bash
|
|
|
+function print_cert_info {
|
|
|
+ local enddate
|
|
|
+ local subject
|
|
|
+ local san_str
|
|
|
+
|
|
|
+ # Get the wanted informations with OpenSSL.
|
|
|
+ issuer="$(openssl x509 -noout -issuer -in "$1" | sed -n 's/.*CN = \(.*\)/\1/p')"
|
|
|
+ enddate="$(openssl x509 -noout -enddate -in "$1" | sed -n 's/notAfter=\(.*$\)/\1/p')"
|
|
|
+ subject="$(openssl x509 -noout -subject -in "$1" | sed -n 's/.*CN = \([a-z0-9.-]*\)/- \1/p')"
|
|
|
+ san_str="$(openssl x509 -text -in "$1" | grep 'DNS:')"
|
|
|
+
|
|
|
+ echo "Certificate was issued by $issuer"
|
|
|
+ if [[ "$2" == "expired" ]]; then
|
|
|
+ echo "Certificate was valid until $enddate"
|
|
|
+ else
|
|
|
+ echo "Certificate is valid until $enddate"
|
|
|
+ fi
|
|
|
+ echo "Subject Name:"
|
|
|
+ echo "$subject"
|
|
|
+
|
|
|
+ # Display the SAN info only if there is more than one SAN domain.
|
|
|
+ while IFS=',' read -ra SAN; do
|
|
|
+ if [[ ${#SAN[@]} -gt 1 ]]; then
|
|
|
+ echo "Subject Alternative Name:"
|
|
|
+ for domain in "${SAN[@]}"; do
|
|
|
+ echo "$domain" | sed -n 's/.*DNS:\([a-z0-9.-]*\)/- \1/p'
|
|
|
+ done
|
|
|
+ fi
|
|
|
+ done <<< "$san_str"
|
|
|
+}
|
|
|
+
|
|
|
+echo '##### Certificate status #####'
|
|
|
+for cert in /etc/nginx/certs/*/fullchain.pem; do
|
|
|
+ [[ -e "$cert" ]] || continue
|
|
|
+ if [[ -e "${cert%fullchain.pem}chain.pem" ]]; then
|
|
|
+ # Verify the certificate with OpenSSL.
|
|
|
+ verify=$(openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert" 2>&1)
|
|
|
+ if [[ $? -eq 0 ]]; then
|
|
|
+ echo $verify
|
|
|
+ # Print certificate info.
|
|
|
+ print_cert_info "$cert"
|
|
|
+ else
|
|
|
+ echo "${cert}: EXPIRED"
|
|
|
+ # Print certificate info.
|
|
|
+ print_cert_info "$cert" "expired"
|
|
|
+ fi
|
|
|
+ else
|
|
|
+ echo "${cert}: no corresponding chain.pem file, unable to verify certificate"
|
|
|
+ # Print certificate info.
|
|
|
+ print_cert_info "$cert"
|
|
|
+ fi
|
|
|
+
|
|
|
+ # Find the .crt files in /etc/nginx/certs which are
|
|
|
+ # symlinks pointing to the current certificate.
|
|
|
+ unset symlinked_domains
|
|
|
+ for symlink in /etc/nginx/certs/*.crt; do
|
|
|
+ [[ -e "$symlink" ]] || continue
|
|
|
+ if [[ "$(readlink -f "$symlink")" == "$cert" ]]; then
|
|
|
+ domain="$(echo "${symlink%.crt}" | sed 's#/etc/nginx/certs/##g')"
|
|
|
+ symlinked_domains+=("$domain")
|
|
|
+ fi
|
|
|
+ done
|
|
|
+
|
|
|
+ # Display symlinks pointing to the current cert if there is any.
|
|
|
+ if [[ ${#symlinked_domains[@]} -gt 0 ]]; then
|
|
|
+ echo "Certificate is used by the following domain(s):"
|
|
|
+ for domain in "${symlinked_domains[@]}"; do
|
|
|
+ echo "- $domain"
|
|
|
+ done
|
|
|
+ fi
|
|
|
+
|
|
|
+ echo '##############################'
|
|
|
+done
|
cc