check_ssl_cert.1

.\" Process this file with
.\" groff -man -Tascii foo.1
.\"
.TH "check_ssl_cert" 1 "April, 2018" "1.67.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
.BR "check_ssl_cert " "-H host [OPTIONS]"
.SH DESCRIPTION
.B check_ssl_cert
A Nagios plugin to check an X.509 certificate:
 - checks if the server is running and delivers a valid certificate
 - checks if the CA matches a given pattern
 - checks the validity
.SH ARGUMENTS
.TP
.BR "-H,--host" " host"
server
.SH OPTIONS
.TP
.BR "-A,--noauth"
ignore authority warnings (expiration only)
.TP
.BR "   --altnames"
matches the pattern specified in -n with alternate names too
.TP
.BR "-C,--clientcert" " path"
use client certificate to authenticate
.TP
.BR "   --clientpass" " phrase"
set passphrase for client certificate.
.TP
.BR "-c,--critical" " days"
minimum number of days a certificate has to be valid to issue a critical status
.TP
.BR "   --curl-bin" " path"
path of the curl binary to be used"
.TP
.BR "-d,--debug"
produces debugging output
.TP
.BR "   --ecdsa"
cipher selection: force ECDSA authentication
.TP
.BR "-e,--email" " address"
pattern to match the email address contained in the certificate
.TP
.BR "-f,--file" " file"
local file path (works with -H localhost only) with -f you can not only pass a x509 certificate file but also a certificate revocation list (CRL) to check the validity period
.TP
.BR "   --file-bin" " path"
path of the file binary to be used
.TP
.BR "   --fingerprint" " SHA1"
pattern to match the SHA1-Fingerprint
.TP
.BR "   --force-perl-date"
force the usage of Perl for date computations
.TP
.BR "   --format" " FORMAT"
custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'")
.TP
.BR "-h,--help,-?"
this help message
.TP
.BR "   --ignore-exp"
ignore expiration date
.TP
.BR "   --ignore-ocsp"
do not check revocation with OCSP
.TP
.BR "   --ignore-sig-alg"
do not check if the certificate was signed with SHA1 or MD5
.TP
.BR "   --ignore-ssl-labs-cache"
Forces a new check by SSL Labs (see -L)
.TP
.BR "   --issuer-cert-cache" " dir"
directory where to store issuer certificates cache
.TP
.BR "-i,--issuer" " issuer"
pattern to match the issuer of the certificate
.TP
.BR "-L,--check-ssl-labs grade"
SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)
.TP
.BR "   --long-output" " list"
append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines.
Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
.TP
.BR "-n,--cn" " name"
pattern to match the CN of the certificate (can be specified multiple times)
.TP
.BR "   --no_ssl2"
disable SSL version 2
.TP
.BR "   --no_ssl3"
disable SSL version 3
.TP
.BR "   --no_tls1"
disable TLS version 1
.TP
.BR "   --no_tls1_1"
disable TLS version 1.1
.TP
.BR "   --no_tls1_2"
disable TLS version 1.2
.TP
.BR "-N,--host-cn"
match CN with the host name
.TP
.BR "-o,--org" " org"
pattern to match the organization of the certificate
.TP
.BR "   --openssl" " path"
path of the openssl binary to be used
.TP
.BR "-p,--port" " port"
TCP port
.TP
.BR "-P,--protocol" " protocol"
use the specific protocol: http (default), irc or smtp,pop3,imap,ftp,ldap (switch to TLS)
.TP
.BR "-s,--selfsigned"
allows self-signed certificates
.TP
.BR "   --serial serialnum"
pattern to match the serial number
.TP
.BR "   --sni name"
sets the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'
.TP
.BR "   --ssl2"
force SSL version 2
.TP
.BR "   --ssl3"
force SSL version 3
.TP
.BR "   --require-san"
require the presence of a Subject Alternative Name extension
.TP
.BR "-r,--rootcert" " cert"
root certificate or directory to be used for certficate validation (passed to openssl's -CAfile or -CApath)
.TP
.BR "   --rsa"
cipher selection: force RSA authentication
.TP
.BR "   --temp" " dir"
directory where to store the temporary files
.TP
.BR "   --terse"
terse output (also see --verbose) 
.TP
.BR "-t,--timeout"
seconds timeout after the specified time (defaults to 15 seconds)
.TP
.BR "   --tls1"
force TLS version 1
.TP
.BR "   --tls1_1"
force TLS version 1.1
.TP
.BR "   --tls1_2"
force TLS version 1.2
.TP
.BR "   --tls1_3"
force TLS version 1.3
.TP
.BR "-v,--verbose"
verbose output (also see --terse)
.TP
.BR "-V,--version"
version
.TP
.BR "-w,--warning" " days"
minimum number of days a certificate has to be valid to issue a warning status
.TP
.BR "   --xmpphost" " name"
specifies the host for the "to" attribute of the stream element
.SH DEPRECATED OPTIONS
.TP
.BR "-d,--days" " days"
minimum number of days a certificate has to be valid (see --critical and --warning)
.TP
.BR "   --ocsp"
check revocation via OCSP
.TP
.BR "-S,--ssl" " version"
force SSL version (2,3) (see: --ssl2 or --ssl3)

.SH MULTIPLE CERTIFICATES
If the host has multiple certificates and the installed openssl version supports the -servername option it is possible to specify the TLS SNI (Server Name Idetificator) with the -N (or --host-cn) option.

.SH "SEE ALSO"
x509(1), openssl(1), expect(1), timeout(1)
.SH "EXIT STATUS"
check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems
.SH BUGS
Please report bugs to:

https://github.com/matteocorti/check_ssl_cert/issues
.SH AUTHOR
Matteo Corti (matteo (at) corti.li )
See the AUTHORS file for the complete list of contributors