Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Testing certificates for verdancy #398

Closed
tashian opened this issue Dec 16, 2020 · 4 comments · Fixed by #495
Closed

Testing certificates for verdancy #398

tashian opened this issue Dec 16, 2020 · 4 comments · Fixed by #495
Assignees
@dopey
Labels
enhancement

Comments

@tashian
Copy link
Contributor

tashian commented Dec 16, 2020
edited

I'd love to be able to know whether or not a certificate is about to expire, without running something like:

step certificate inspect $CERT_LOCATION --format json | \
        jq -e "(((.validity.start | fromdate) + \
                 ((.validity.end | fromdate) - (.validity.start | fromdate)) * 0.66) \
                  - now) <= 0'

For scripting purposes, I'd love a command such as step certificate verify --verdancy that would simply say whether or not the certificate is ready for renewal, and return an exit code:

  • 0 GREEN — the leaf is < 66% through its lifetime
  • 1 YELLOW — the leaf is >= 66% and < 90% through its lifetime
  • 2 RED — the leaf is >= 90% through its lifetime
  • 3 BROWN — the leaf is expired
  • 255 if there was an error
@tashian tashian added enhancement needs triage Waiting for discussion / prioritization by team labels Dec 16, 2020
@tashian tashian changed the title Testing certificates for ripness Testing certificates for ripeness Dec 16, 2020
@tashian

This comment has been minimized.

Sign in to view
@tashian tashian mentioned this issue Dec 17, 2020
Merged
@tashian tashian changed the title Testing certificates for ripeness Testing certificates for verdancy Dec 17, 2020
@dopey dopey removed the needs triage Waiting for discussion / prioritization by team label Dec 22, 2020
@dopey
Copy link
Contributor

dopey commented Dec 23, 2020

step certificate expired and step certificate verdancy [**--expires-in**=<duration-or-% remaining>] <cert-or-url>

tashian added a commit to smallstep/docs-old that referenced this issue Dec 23, 2020
@tashian
Merge pull request #11 from smallstep/carl/systemd-absolute-unit
6e446cb 
Merging this for now, and I'll come back and replace the `jq` usage once smallstep/cli#398 is released.
@dopey dopey self-assigned this Jan 4, 2021
@tashian
Copy link
Contributor Author

tashian commented Feb 23, 2021

Can we do this for SSH certs too? This would allow the same systemd renewal method for SSH host certs.

@dopey dopey mentioned this issue Jun 1, 2021
Open
@meganm53 meganm53 mentioned this issue Jun 21, 2021
Merged
@tommy-56 tommy-56 mentioned this issue Jun 24, 2021
Closed
@tommy-56 tommy-56 linked a pull request Jul 8, 2021 that will close this issue
Megan/expiration #495
Merged
@tommy-56
Copy link
Contributor

tommy-56 commented Jul 8, 2021

step certificate needs-renewal addresses this issue and was merged in #495

@tommy-56 tommy-56 closed this as completed Jul 8, 2021
@devon-mar devon-mar mentioned this issue Jul 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dopey dopey

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Megan/expiration smallstep/cli
3 participants
@tashian @dopey @tommy-56