a simplistic X.509 certificates manager, please?

[Cross-posting to news:relcom.comp.security for no good reason
at all.]

I wonder, is there a simplistic free software X.509 "server"
certificates manager?

Two features I seek are:

* check all the X.509 certificate files (mostly PEM) specified
for whether they're going to expire anytime soon, and produce
a list thereof; (ideally, the list would include not just the
filename, but also the Subject:, Issuer: and Serial: fields;
preferrably shortened);

* take a list of the files holding the old (one per file) and
renewed (possibly many per file) certificates and overwrite
the old ones with new.

TIA.

PS. I'm using https://CAcert.org/ certificates on a bunch of hosts, and
have some trouble renewing them every 6 months.

--
FSF associate member #7257

Am 26.03.2012 16:28, schrieb Ivan Shmakov:
> [Cross-posting to news:relcom.comp.security for no good reason
> at all.]
>
> I wonder, is there a simplistic free software X.509 "server"
> certificates manager?
>
> Two features I seek are:
>
> * check all the X.509 certificate files (mostly PEM) specified
> for whether they're going to expire anytime soon, and produce
> a list thereof; (ideally, the list would include not just the
> filename, but also the Subject:, Issuer: and Serial: fields;
> preferrably shortened);
>
> * take a list of the files holding the old (one per file) and
> renewed (possibly many per file) certificates and overwrite
> the old ones with new.
>
> TIA.
>
> PS. I'm using https://CAcert.org/ certificates on a bunch of hosts, and
> have some trouble renewing them every 6 months.
>
Not exactly what you are looking for, but we are using ICINGAs
"check_simap" command to monitor server certificates.

check_simap -S -D 30 -H $HOSTADRESS

will return an alert if the certificate has less than 30 days...

HTH

Am 26.03.2012 16:28, schrieb Ivan Shmakov:
> [Cross-posting to news:relcom.comp.security for no good reason
> at all.]
>
> I wonder, is there a simplistic free software X.509 "server"
> certificates manager?
>
> Two features I seek are:
>
> * check all the X.509 certificate files (mostly PEM) specified
> for whether they're going to expire anytime soon, and produce
> a list thereof; (ideally, the list would include not just the
> filename, but also the Subject:, Issuer: and Serial: fields;
> preferrably shortened);
>
> * take a list of the files holding the old (one per file) and
> renewed (possibly many per file) certificates and overwrite
> the old ones with new.
>
> TIA.
>
> PS. I'm using https://CAcert.org/ certificates on a bunch of hosts, and
> have some trouble renewing them every 6 months.
>
Not exactly what you are looking for, but we are using ICINGAs
"check_simap" command to monitor server certificates.

check_simap -S -D 30 -H $HOSTADRESS$

will return an alert if the certificate has less than 30 days...

ssl-cert-check -s $HOSTADRESS$ -p 443 -x 30 -n

will do the same for non simap servers.

HTH

>>>>> Patrick Rauter <rauter@hs-weingarten.de> writes:
>>>>> Am 26.03.2012 16:28, schrieb Ivan Shmakov:

[...]

>> * check all the X.509 certificate files (mostly PEM) specified for
>> whether they're going to expire anytime soon, and produce a list
>> thereof; (ideally, the list would include not just the filename, but
>> also the Subject:, Issuer: and Serial: fields; preferrably
>> shortened);

[...]

> Not exactly what you are looking for, but we are using ICINGAs
> "check_simap" command to monitor server certificates.

> check_simap -S -D 30 -H $HOSTADRESS$

> will return an alert if the certificate has less than 30 days...

> ssl-cert-check -s $HOSTADRESS$ -p 443 -x 30 -n

Actually, these two seem to fit (more or less) the first case
above. Thanks!

> will do the same for non simap servers.

Are STARTTLS servers also supported?

--
FSF associate member #7257

Am 27.03.2012 16:48, schrieb Ivan Shmakov:
>>>>>> Patrick Rauter<rauter@hs-weingarten.de> writes:
>>>>>> Am 26.03.2012 16:28, schrieb Ivan Shmakov:
>
> [...]
>
> >> * check all the X.509 certificate files (mostly PEM) specified for
> >> whether they're going to expire anytime soon, and produce a list
> >> thereof; (ideally, the list would include not just the filename, but
> >> also the Subject:, Issuer: and Serial: fields; preferrably
> >> shortened);
>
> [...]
>
> > Not exactly what you are looking for, but we are using ICINGAs
> > "check_simap" command to monitor server certificates.
>
> > check_simap -S -D 30 -H $HOSTADRESS$
>
> > will return an alert if the certificate has less than 30 days...
>
> > ssl-cert-check -s $HOSTADRESS$ -p 443 -x 30 -n
>
> Actually, these two seem to fit (more or less) the first case
> above. Thanks!
>
> > will do the same for non simap servers.
>
> Are STARTTLS servers also supported?
>

As far as i understand this plugin, it just checks the response-string
from the mailserver and the expiration date of the certificate, so
starttls should'nt be a problem.

HTH