Friday, October 12, 2012

Script to check Certificates validity in the Java Key Store


To check Certificates in the Java Key Store:

#!/bin/bash
# Nagios plugin to check the expiration dates
# of Java Cert keystores

# Set up some variables
# Todays date expressed in Epoch time "seconds since 1970-01-01 00:00:00 UTC"
TODAY=`date +"%s"`
critical=$2
warning=$1
c_flag=0
w_flag=0
OK=0
WARNING=1
CRITICAL=2
UNKNOWN=3
count1=0
count2=0
diffdays_c="in"
diffdays_w="in"

# keytool location and command line
# keytool normally lives here - /opt/java/x64/jdk1.6.0_18/bin/keytool
KEYTOOL="/opt/java/x64/jdk1.6.0_18/bin/keytool"

# Keystore varies depending on application. The below example is from prod
# It can normally be found here /opt/apps/<APPLICATION>/conf/TrustStore_PROD.ks
KEYSTORE="/opt/apps/cmc-clientverification02/conf/TrustStore_PROD.ks"

# Keystore password
KEYPASS="changeit"

# So first we go and get the cert experation dates from the keystore using the
# keytool
`$KEYTOOL -list -v -storepass $KEYPASS -keystore $KEYSTORE | grep Valid |  awk '{print $10,$11,$12,$13,$15}' > /tmp/cert.txt`

if [ -s /tmp/cert.txt ];then

lastrun=`echo $?`
if [ $lastrun  -eq 0  ]; then

while read line
do
 certepoch=`date --date="$line" "+%s"`
 diff=$(($certepoch - $TODAY))
  diff_days=$(($diff / 86400))
  if [ $diff_days -le $critical ];then
        #echo "CRITICAL:Certificate will expire in $diff_days days"
        c_flag=2
        count2=$((count2 + 1))
        diffdays_c="$diffdays_c $diff_days"
        #exit $CRITICAL
  fi
if [ $diff_days -ge $critical ] && [ $diff_days -le $warning ];then
        #echo "WARNING:Certificate will expire in $diff_days"
        w_flag=1
        count1=$((count1 + 1))
        diffdays_w="$diffdays_w $diff_days"
        #exit $WARNING
  fi

done < /tmp/cert.txt
else
        echo "UNKNOWN: check the command executing manually"
        exit $UNKNOWN

fi

if [ $c_flag -eq $CRITICAL ] && [ $w_flag -eq $WARNING ];then
        echo "CRITICAL:There are $count2 certificates getting expired $diffdays_c days"
        echo "and certificate in WARNING:There are $count1 certificates getting expired $diffdays_w days"
exit $CRITICAL
fi


if [ $c_flag -eq $CRITICAL ];then
        echo "CRITICAL:There are $count2 certificates getting expired $diffdays_c days"
        exit $CRITICAL
fi

if [ $w_flag -eq $WARNING ];then
        echo "WARNING:There are $count1 certificates getting expired $diffdays_w days"
        exit $WARNING
fi

if [ $c_flag -eq $OK ] && [ $w_flag -eq $OK ];then

        echo "OK:There are no certificates getting expired."
        exit $OK

fi

else

echo "Try running the Keytool command manually, ther might be a chance that there are no certificates"
exit $CRITICAL
fi

4 comments:

  1. Hi there. I really think this script is awesome. But I am having trouble getting it to work.

    It is giving me the following messages when I know 100% the certificates are expired inside the keystrore.

    expiring.sh: line 46: [: 5535: unary operator expected
    expiring.sh: line 53: [: 5535: unary operator expected
    expiring.sh: line 46: [: -56: unary operator expected
    expiring.sh: line 53: [: -56: unary operator expected
    expiring.sh: line 46: [: 1236: unary operator expected
    expiring.sh: line 53: [: 1236: unary operator expected
    expiring.sh: line 46: [: 61: unary operator expected
    expiring.sh: line 53: [: 61: unary operator expected
    expiring.sh: line 46: [: 1236: unary operator expected
    expiring.sh: line 53: [: 1236: unary operator expected
    OK:There are no certificates getting expired.

    ReplyDelete
  2. Has anyone resolved this? I am seeing the same result when running the script as above.

    [root@CentOS6-64-1 tmp]# ./check_keystore
    ./check_keystore: line 46: [: 953: unary operator expected
    ./check_keystore: line 53: [: 953: unary operator expected
    ./check_keystore: line 46: [: 1799: unary operator expected
    ./check_keystore: line 53: [: 1799: unary operator expected
    ./check_keystore: line 46: [: 1727: unary operator expected
    ./check_keystore: line 53: [: 1727: unary operator expected
    ./check_keystore: line 46: [: 1799: unary operator expected
    ./check_keystore: line 53: [: 1799: unary operator expected
    ./check_keystore: line 46: [: 445: unary operator expected
    ./check_keystore: line 53: [: 445: unary operator expected
    ./check_keystore: line 46: [: 5434: unary operator expected
    ./check_keystore: line 53: [: 5434: unary operator expected
    OK:There are no certificates getting expired.

    ReplyDelete