1check_ssl_cert(1) USER COMMANDS check_ssl_cert(1)
2
6 check_ssl_cert - checks the validity of X.509 certificates
7
9 check_ssl_cert -H host [OPTIONS]
10 check_ssl_cert -f file [OPTIONS]
11
13 check_ssl_cert A shell script (that can be used as a Nagios/Icinga
14 plugin) to check an SSL/TLS connection
15
17 -f,--file file
18 Local file path or URI. With -f you can not only pass a x509
19 certificate file but also a certificate revocation list (CRL) to
20 check the validity period or a Java KeyStore file
21 -H,--host host
23 server
24
26 -A,--noauth
27 Ignore authority warnings (expiration only)
28 --all
30 Enable all the possible optional checks at the maximum level
31 --all-local
33 Enable all the possible optional checks at the maximum level
34 (without SSL-Labs)
35 --allow-empty-san
37 Allow certificates without Subject Alternative Names (SANs)
38 -C,--clientcert path
40 Use client certificate to authenticate
41 -c,--critical days
43 Minimum number of days a certificate has to be valid to issue a
44 critical status. Can be a floating point number, e.g., 0.5. De‐
45 fault: 15
46 --check-chain
48 The certificate chain cannot contain double or root certificates
49 --check-ciphers grade
51 Check the offered ciphers
52 --check-ciphers-warnings
54 Critical if nmap reports a warning for an offered cipher
55 --check-http-headers
57 Check the HTTP headers for best practices
58 --check-ssl-labs-warn grade
60 SSL Labs grade on which to warn
61 --clientpass phrase
63 Set passphrase for client certificate.
64 --configuration file
66 Read options from the specified file
67 --crl
69 Check revocation via CRL (requires --rootcert-file)
70 --curl-bin path
72 Path of the curl binary to be used
73 --custom-http-header string
75 Custom HTTP header sent when getting the cert example: 'X-Check-
76 Ssl-Cert: Foobar=1'
77 --dane
79 Verify that valid DANE records exist (since OpenSSL 1.1.0)
80 --dane 211
82 Verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record
83 exists
84 --dane 301
86 Verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record
87 exists
88 --dane 302
90 Verify that a valid DANE-EE(3) Cert(0) SHA2-512(2) TLSA record
91 exists
92 --dane 311
94 Verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record
95 exists
96 --dane 312
98 Verify that a valid DANE-EE(3) SPKI(1) SHA2-512(1) TLSA record
99 exists
100 --date path
102 Path of the date binary to be used
103 -d,--debug
105 Produce debugging output (can be specified more than once)
106 --debug-cert
108 Store the retrieved certificates in the current directory
109 --debug-file file
111 Write the debug messages to file
112 --debug-headers
114 Store the retrieved HTLM headers in the headers.txt file
115 --debug-time
117 Write timing information in the debugging output
118 --default-format
120 Print the default output format and exit
121 --dig-bin path
123 Path of the dig binary to be used
124 --dtls
126 Use the DTLS protocol
127 --dtls1
129 Use the DTLS protocol 1.0
130 --dtls1_2
132 Use the DTLS protocol 1.2
133 -e,--email address
135 Pattern to match the email address contained in the certificate
136 --ecdsa
138 Signature algorithm selection: force ECDSA certificate
139 --element number
141 Check up to the N cert element from the beginning of the chain
142 --file-bin path
144 Path of the file binary to be used
145 --fingerprint SHA1
147 Pattern to match the SHA1-Fingerprint
148 --first-element-only
150 Verify just the first cert element, not the whole chain
151 --force-dconv-date
153 Force the usage of dconv for date computations
154 --force-perl-date
156 Force the usage of Perl for date computations
157 --format FORMAT
159 Format output template on success, for example: '%SHORTNAME% OK
160 %CN% from %CA_ISSUER_MATCHED%'
161 List of possible variables:
162 - %CA_ISSUER_MATCHED%
163 - %CHECKEDNAMES%
164 - %CN%
165 - %DATE%
166 - %DAYS_VALID%
167 - %DYSPLAY_CN%
168 - %HOST%
169 - %OCSP_EXPIRES_IN_HOURS%
170 - %OPENSSL_COMMAND%
171 - %PORT%
172 - %SELFSIGNEDCERT%
173 - %SHORTNAME%
174 - %SIGALGO%
175 - %SSL_LABS_HOST_GRADE%
176 See --default-format for the default
177 --grep-bin path
179 Path of the grep binary to be used
180 -h,--help,-?
182 This help message
183 --http-headers-path path
185 The path to be used to fetch HTTP headers
186 --http-use-get
188 Use GET instead of HEAD (default) for the HTTP related checks
189 -i,--issuer issuer
191 Pattern to match the issuer of the certificate
192 --ignore-altnames
194 Ignore alternative names when matching pattern specified in -n
195 (or the host name)
196 --ignore-connection-problems [state]
198 In case of connection problems returns OK or the optional state
199 --ignore-exp
201 Ignore expiration date
202 --ignore-host-cn
204 Do not complain if the CN does not match the host name
205 --ignore-incomplete-chain
207 Do not check chain integrity
208 --ignore-maximum-validity
210 Ignore the certificate maximum validity
211 --ignore-ocsp
213 Do not check revocation with OCSP
214 --ignore-ocsp-errors
216 Continue if the OCSP status cannot be checked
217 --ignore-ocsp-timeout
219 Ignore OCSP result when timeout occurs while checking
220 --ignore-sct
222 Do not check for signed certificate timestamps (SCT)
223 --ignore-sig-alg
225 Do not check if the certificate was signed with SHA1 or MD5
226 --ignore-ssl-labs-cache
228 Force a new check by SSL Labs (see -L)
229 --ignore-tls-renegotiation
231 Ignore the TLS renegotiation check
232 --inetproto protocol
234 Force IP version 4 or 6
235 --info
237 Print certificate information
238 --init-host-cache
240 Initialize the host cache
241 --issuer-cert-cache dir
243 Directory where to store issuer certificates cache
244 --jks-alias alias
246 Alias name of the Java KeyStore entry (requires --file)
247 -K,--clientkey path
249 Use client certificate key to authenticate
250 -L,--check-ssl-labs grade
252 SSL Labs assessment (please check https://www.ss‐
253 llabs.com/about/terms.html). Critical if the grade is lower than
254 specified.
255 --long-output list
257 Append the specified comma separated (no spaces) list of at‐
258 tributes to the plugin output on additional lines. Valid at‐
259 tributes are: enddate, startdate, subject, issuer, modulus, se‐
260 rial, hash, email, ocsp_uri and fingerprint. 'all' will include
261 all the available attributes.
262 -m,--match name
264 Pattern to match the CN or AltName (can be specified multiple
265 times)
266 --maximum-validity [days]
268 The maximum validity of the certificate must not exceed 'days'
269 (default 397). This check is automatic for HTTPS
270 --nmap-bin path
272 Path of the nmap binary to be used
273 --no-perf
275 Do not show performance data
276 --no-proxy
278 Ignore the http_proxy and https_proxy environment variables
279 --no-proxy-curl
281 Ignore the http_proxy and https_proxy environment variables for
282 curl
283 --no-proxy-s_client
285 Ignore the http_proxy and https_proxy environment variables for
286 openssl s_client
287 --no-ssl2
289 Disable SSL version 2
290 --no-ssl3
292 Disable SSL version 3
293 --no-tls1
295 Disable TLS version 1
296 --no-tls1_1
298 Disable TLS version 1.1
299 --no-tls1_3
301 Disable TLS version 1.3
302 --no-tls1_2
304 Disable TLS version 1.2
305 --not-issued-by issuer
307 Check that the issuer of the certificate does not match the
308 given pattern
309 --not-valid-longer-than days
311 Critical if the certificate validity is longer than the speci‐
312 fied period
313 -o,--org org
315 Pattern to match the organization of the certificate
316 --ocsp-critical hours
318 Minimum number of hours an OCSP response has to be valid to is‐
319 sue a critical status
320 --ocsp-warning hours
322 Minimum number of hours an OCSP response has to be valid to is‐
323 sue a warning status
324 --openssl path
326 Path of the openssl binary to be used
327 -p,--port port
329 TCP port (default 443)
330 --precision digits
332 Number of decimal places for durations: defaults to 0 if criti‐
333 cal or warning are integers, 2 otherwise
334 -P,--protocol protocol
336 Use the specific protocol: ftp, ftps, http, https (default), h2
337 (HTTP/2), imap, imaps, irc, ircs, ldap, ldaps, mysql, pop3,
338 pop3s, postgres, sieve, smtp, smtps, tds, xmpp, xmpp-server,
339 ftp, imap, irc, ldap, pop3, postgres, sieve, smtp: switch to TLS
340 using StartTLS.
341 These protocols switch to TLS using StartTLS: ftp, imap, irc,
342 ldap, mysql, pop3, smtp.
343 --password source
345 Password source for a local certificate, see the PASS PHRASE AR‐
346 GUMENTS section openssl(1) TP --prometheus Generate
347 Prometheus/OpenMetrics output
348 --proxy proxy
350 Set http_proxy and the s_client -proxy option
351 --python-bin path
353 Path of the python binary to be used
354 -q,--quiet
356 Do not produce any output
357 -r,--rootcert cert
359 Root certificate or directory to be used for certificate valida‐
360 tion (passed to openssl's -CAfile or -CApath)
361 --require-client-cert [list]
363 The server must accept a client certificate. 'list' is an op‐
364 tional comma separated list of expected client certificate CAs
365 --require-dnssec
367 Require DNSSEC
368 --require-http-header header
370 Require the specified HTTP header (e.g., X-Frame-Options)
371 --require-no-http-header header
373 Require the absence of the specified HTTP header (e.g., X-Pow‐
374 ered-By)
375 --require-no-ssl2
377 Critical if SSL version 2 is offered
378 --require-no-ssl3
380 Critical if SSL version 3 is offered
381 --require-no-tls1
383 Critical if TLS 1 is offered
384 --require-no-tls1_1
386 Critical if TLS 1.1 is offered
387 --require-ocsp-stapling
389 Require OCSP stapling
390 --require-purpose usage
392 Require the specified key usage (can be specified more then
393 once)
394 --require-purpose-critical
396 The key usage must be critical
397 --require-security-header header
399 Require the specified HTTP security header (e.g., X-Frame-Op‐
400 tions)
401 --require-security-headers
403 Require all the HTTP security headers:
404 Content-Security-Policy
405 Permissions-Policy
406 Referrer-Policy
407 strict-transport-security
408 X-Content-Type-Options
409 X-Frame-Options
410 --resolve ip
412 Provide a custom IP address for the specified host
413 --rootcert-dir dir
415 Root directory to be used for certificate validation (passed to
416 openssl's -CApath) overrides option -r,--rootcert
417 --rootcert-file cert
419 Root certificate to be used for certificate validation (passed
420 to openssl's -CAfile) overrides option -r,--rootcert
421 --rsa
423 Signature algorithm selection: force RSA certificate
424 -s,--selfsigned
426 Allow self-signed certificates
427 --serial serialnum
429 Pattern to match the serial number
430 --skip-element number
432 Skip checks on the Nth cert element (can be specified multiple
433 times)
434 --sni name
436 Set the TLS SNI (Server Name Indication) extension in the Clien‐
437 tHello message to 'name'
438 --ssl2
440 Force SSL version 2
441 --ssl3
443 Force SSL version 3
444 -t,--timeout seconds
446 Timeout after the specified time (defaults to 120 seconds)
447 --temp dir
449 Directory where to store the temporary files
450 --terse
452 Terse output (also see --verbose)
453 --tls1
455 Force TLS version 1
456 --tls1_1
458 Force TLS version 1.1
459 --tls1_2
461 Force TLS version 1.2
462 --tls1_3
464 Force TLS version 1.3
465 -u,--url URL
467 HTTP request URL
468 --user-agent string
470 User agent that shall be used for HTTPS connections
471 -v,--verbose
473 Verbose output (can be specified more than once)
474 -V,--version
476 Version
477 -w,--warning days
479 Minimum number of days a certificate has to be valid to issue a
480 warning status. Might be a floating point number, e.g., 0.5. De‐
481 fault: 20
482 --xmpphost name
484 Specify the host for the 'to' attribute of the stream element
485 -4 Force IPv4
487 -6 Force IPv6
489
491 --altnames
492 Match the pattern specified in -n with alternate names too (en‐
493 abled by default)
494 -n,--cn name
496 Pattern to match the CN or AltName (can be specified multiple
497 times)
498 --curl-user-agent string
500 User agent that curl shall use to obtain the issuer cert
501 -d,--days days
503 Minimum number of days a certificate has to be valid (see
504 --critical and --warning)
505 -N,--host-cn
507 Match CN with the host name (enabled by default)
508 --no_ssl2
510 Disable SSLv2 (deprecated use --no-ssl2)
511 --no_ssl3
513 Disable SSLv3 (deprecated use --no-ssl3)
514 --no_tls1
516 Disable TLSv1 (deprecated use --no-tls1)
517 --no_tls1_1
519 Disable TLSv1.1 (deprecated use --no-tls1_1)
520 --no_tls1_2
522 Disable TLSv1.1 (deprecated use --no-tls1_2)
523 --no_tls1_3
525 Disable TLSv1.1 (deprecated use --no-tls1_3)
526 --ocsp
528 Check revocation via OCSP (enabled by default)
529 --require-hsts
531 Require HTTP Strict Transport Security (deprecated use --re‐
532 quire-security-header strict-transport-security)
533 --require-security-headers-path path
535 the path to be used to fetch HTTP security headers
536 --require-san
538 Require the presence of a Subject Alternative Name extension
539 --require-x-frame-options [path]
541 Require the presence of the X-Frame-Options HTTP header. 'path'
542 is the optional path to be used in the URL to check for the
543 header (deprecated use --require-security-header X-Frame-Options
544 and --require-security-headers-path path)
545 -S,--ssl version
547 Force SSL version (2,3) (see: --ssl2 or --ssl3)
548
551 Command line options can be specified in a configuration file
552 (${HOME}/.check_ssl_certrc). For example
553 $ cat ${HOME}/.check_ssl_certrc
555 --verbose
556 --critical 20
557 --warning 40
558 Options specified in the configuration file are read before processing
560 the arguments and can be overridden.
561
564 If the host has multiple certificates and the installed openssl version
565 supports the -servername option it is possible to specify the TLS SNI
566 (Server Name Identificator) with the -N (or --host-cn) option.
567
570 check_ssl_cert returns a zero exist status if it finds no errors, 1 for
571 warnings, 2 for a critical errors and 3 for unknown problems
572
574 Please report bugs to: https://github.com/matteo‐
575 corti/check_ssl_cert/issues
576
579 check_ssl_cert --host github.com --all-local
580
583 openssl(1), openssl-x509(1)
5842.54.0 October, 2022 check_ssl_cert(1)