Check expiry dates of local and remote SSL certificates
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Add README Aug 20, 2014
LICENSE Update year in copyright notices Jan 23, 2017 Allow empty lines when reading entries from --list May 9, 2017
ssl-cert-check Allow empty lines when reading entries from --list May 9, 2017



  • ./ssl-cert-check <days> <certspec1,certspec2,...>
  • ./ssl-cert-check <days> --list=<FILE>
  • ./ssl-cert-check <days> --glob=<FILE>

This tool will warn you if any of the specified certificates expires in the next <days> days. If the --list mode is used, the file is expected to contain one certspec per line. Similarly, --glob mode expects one certspec per line in the given file, but each line will be evaluated as a wildcard glob pattern. In both cases, lines starting with the character '#' as well as empty lines will be ignored.


The first parameter is the number of days to warn in advance for expiring certificates. All following parameters are treated as certificate specifications and can be in one of the following formats:

  • An absolute path to a x509 PEM certificate file
    For example:

    • /etc/apache2/ssl/
  • A file://<path> URI
    For example:

    • file:///etc/apache2/ssl/
  • A ssl://<host>:<port> URI
    For example: * ssl://

  • A <proto>://<host>[:<port>] URI, this is the same as ssl://<host>:<proto>.
    The real port number is usually looked up in /etc/services, note that you often need the one with the 's' suffix, like "https", "imaps", etc.
    For example:

  • A <proto>+starttls://<host>[:<port>] URI
    Use the STARTTLS command to start a in-protocol TLS session after opening an unencrypted connection. The openssl s_client needs to support this protocol. At time of this writing, the supported protocols are "smtp", "pop3", "imap", "ftp" and "xmpp".
    For example:

    • imap+starttls://
    • smtp+starttls://


Example for your crontab:

6       6    * * *   nobody /usr/local/bin/ssl-cert-check 30 /etc/apache2/ssl/*.crt /etc/ssl/certs/dovecot.pem https://localhost ssl://localhost:465 smtp+starttls://localhost:587