java Keytool

I found this site with a bash script for checking expiry dates of certificates on java keytool

https://www.davidgouveia.net/2013/07/simple-script-to-check-expiry-dates-on-a-java-keystore-jks-file/

./checkCertificate --keystore [YOUR_KEYSTORE_FILE] --password [YOUR_PASSWORD] --threshold [THRESHOLD_IN_DAYS]

Very useful, and can also be integrated with Nagios.

I made a some small adjustments to allow you to automatically delete expired certs. Also changed the timeout command as it wasn't working with my RHEL 6

./checkCertificate --keystore [YOUR_KEYSTORE_FILE] --password [YOUR_PASSWORD] --threshold [THRESHOLD_IN_DAYS] [--delete-expired]

#!/bin/sh

########################################################
#
#       Check certificates inside a java keystore
#
########################################################
#TIMEOUT="timeout -k 10s 5s "
TIMEOUT="timeout 10s "
KEYTOOL="$TIMEOUT keytool"
THRESHOLD_IN_DAYS="30"
KEYSTORE=""
PASSWORD=""
DELETE_EXPIRED=false
RET=0

ARGS=`getopt -o "p:k:t:" -l "password:,keystore:,threshold:,delete-expired" -n "$0" -- "$@"`

function usage {
        echo "Usage: $0 --keystore [--password ] [--threshold ] [--delete-expired]"
        exit
}



function start {
        CURRENT=`date +%s`

        THRESHOLD=$(($CURRENT + ($THRESHOLD_IN_DAYS*24*60*60)))
        if [ $THRESHOLD -le $CURRENT ]; then
                echo "[ERROR] Invalid date."
                exit 1
        fi
        echo "Looking for certificates inside the keystore $(basename $KEYSTORE) expiring in $THRESHOLD_IN_DAYS day(s)...Deleting Expired $DELETE_EXPIRED"

        $KEYTOOL -list -v -keystore "$KEYSTORE"  $PASSWORD 2>&1 > /dev/null
        if [ $? -gt 0 ]; then echo "Error opening the keystore."; exit 1; fi

        $KEYTOOL -list -v -keystore "$KEYSTORE"  $PASSWORD | grep Alias | awk '{print $3}' | while read ALIAS
        do
                #Iterate through all the certificate alias
                EXPIRACY=`$KEYTOOL -list -v -keystore "$KEYSTORE"  $PASSWORD -alias $ALIAS | grep Valid`
                UNTIL=`$KEYTOOL -list -v -keystore "$KEYSTORE"  $PASSWORD -alias $ALIAS | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'`
                UNTIL_SECONDS=`date -d "$UNTIL" +%s`
                REMAINING_DAYS=$(( ($UNTIL_SECONDS -  $(date +%s)) / 60 / 60 / 24 ))
                if [ $THRESHOLD -le $UNTIL_SECONDS ]; then
                        echo "[OK]      Certificate $ALIAS expires in '$UNTIL' ($REMAINING_DAYS day(s) remaining)."
                else
                        echo "[WARNING] Certificate $ALIAS expires in '$UNTIL' ($REMAINING_DAYS day(s) remaining)."
                        if $DELETE_EXPIRED && [ $REMAINING_DAYS -lt 0 ]; then
                                $KEYTOOL -delete -v -keystore "$KEYSTORE" -alias $ALIAS  $PASSWORD
                        fi
                        RET=1
                fi

        done
        echo "Finished..."
        exit $RET
}

eval set -- "$ARGS"

while true
do
        case "$1" in
                -p|--password)
                        if [ -n "$2" ]; then PASSWORD=" -storepass $2"; else echo "Invalid password"; exit 1; fi
                        shift 2;;
                -k|--keystore)
                        if [ ! -f "$2" ]; then echo "Keystore not found: $1"; exit 1; else KEYSTORE=$2; fi
                        shift 2;;
                -t|--threshold)
                        if [ -n "$2" ] && [[ $2 =~ ^[0-9]+$ ]]; then THRESHOLD_IN_DAYS=$2; else echo "Invalid threshold"; exit 1; fi
                        shift 2;;
                --delete-expired)
                        DELETE_EXPIRED=true
                        shift 1;;
                --)
                        shift
                        break;;
        esac
done

if [ -n "$KEYSTORE" ]
then
        start
else
        usage
fi