Bi-monthly SSL certificate update

About once every other month I’ve accumulated a list of SSL certificates that must be renewed. Now; all experience has show that it’s a good ideas to verify that the service in question is actually using the renewed certificate. I’ve updated the wrong configuration file; I’ve forgotten to restart services to re-read the certificate and I’ve had services claiming to have read the new configuration, but in reality still running with the old certificate. As a result I’ve picked up the habit of always checking that the new certificate is actually the one being used. For HTTPS this is simple enough; all browsers I use have a really simple way of checking the expiry date of a site certificate. But what about when you’re using SMTPS, IMAPS or POP3S (or SMTP, IMAP or POP3 with STARTTLS). I know there’s a way, but I always forget, and have to ask Google. Well; not any more: Here’s how to fetch the certificate for such services:

IMAPS

echo | \
openssl s_client -connect imap.example.com:993 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

IMAP with STARTTLS

echo | \
openssl s_client -starttls imap -connect imap.example.com:143 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

POP3S

echo | \
openssl s_client -connect pop3.example.com:995 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certS

POP3 with STARTTLS

echo | \
openssl s_client -starttls pop3 -connect pop3.example.com:110 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

SMTPS

echo | \
openssl s_client -connect smtp.example.com:465 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

SMTP with STARTTLS

echo | \
openssl s_client -starttls smtp -connect smtp.example.com:587 -crlf 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert

Once you’ve got the certificate (the above commands will store it in a file named cert in the current working directory) use the following command to extract the expiry date:

openssl x509 -in cert -noout -enddate

Sample output

notAfter=May 13 21:22:55 2012 GMT

Simple as that…