India English
Kenya English
United Kingdom English
South Africa English
Nigeria English
United States English
United States Español
Indonesia English
Bangladesh English
Egypt العربية
Tanzania English
Ethiopia English
Uganda English
Congo - Kinshasa English
Ghana English
Côte d’Ivoire English
Zambia English
Cameroon English
Rwanda English
Germany Deutsch
France Français
Spain Català
Spain Español
Italy Italiano
Russia Русский
Japan English
Brazil Português
Brazil Português
Mexico Español
Philippines English
Pakistan English
Turkey Türkçe
Vietnam English
Thailand English
South Korea English
Australia English
China 中文
Somalia English
Canada English
Canada Français
Netherlands Nederlands

Shell Scripting for Proactive Certificate Expiration Monitoring

Manually checking certificate expiration dates across multiple servers is tedious and prone to human error. Shell scripts come to the rescue, automating the process and providing an efficient way to stay ahead of potential security issues. Let’s learn how to build a shell script for this purpose.


  • OpenSSL: Most systems will have OpenSSL pre-installed.
  • Basic Shell Scripting Knowledge: Familiarity with loops, variables, and conditional statements is needed.
  • List of Servers: A text file containing the hostnames or IP addresses of the servers to check.

Sample Shell Script



# Path to your server list

# Loop through the list of servers
while read SERVER; do
  echo "------ Checking expiration for $SERVER ------"

  # Extract the expiration date with OpenSSL
  EXPIRATION_DATE=$(openssl s_client -servername $SERVER -connect $SERVER:443 2>/dev/null </dev/null |\
                    openssl x509 -noout -enddate | sed -e 's#notAfter=##')

  # Convert the expiration date into Epoch time for comparison
  CURRENT_SECONDS=$(date +%s)

  # Set a warning threshold 

  # Output and alerts 
  if [ $DAYS_TO_EXPIRE -lt 0 ]; then
    echo "  EXPIRED! Please renew the certificate."
    echo "  WARNING: Certificate expires in $DAYS_TO_EXPIRE days."
    echo "  Certificate is valid."

done < $SERVER_LIST 


  1. Shebang (#!/bin/bash): Indicates the script should be executed with the Bash interpreter.
  2. Variables: Stores the server list path and a warning threshold for expiring certificates.
  3. Loop: Iterates over each server in your server_list.txt file.
  4. OpenSSL Commands: Extracts the certificate’s expiration date information.
  5. Date Conversion: Converts the expiration date to Unix Epoch time (seconds since January 1st, 1970) for easy calculations.
  6. Calculating Days Remaining: Determines the number of days until the certificate expires.
  7. Conditional Output: Provides status messages, indicating expired or soon-to-expire certificates.

How to Use the Script

  1. Modify Variables: Edit the SERVER_LIST and WARNING_THRESHOLD variables to match your setup.
  2. Server List: Create a file (e.g., server_list.txt) with one server hostname or IP address per line.
  3. Execute: Make the script executable (chmod +x and run it (./


  • Email Notifications: Integrate email sending (e.g., using the mail command) to receive alerts.
  • Customizable Thresholds: Allow the warning threshold to be passed in as a command-line argument.
  • Logging: Record the results in a log file for auditing.

Read also:


Enjoy this blog? Please spread the word :)