1

We use bash scripts and the openssl command line tool to maintain our internal PKI chain, this was the first thing that came to mind when scripting the auto renewal procedures: 

is_cert_valid () {
    # pem cert, pem cert chain, timestamp
    local signed="$1" signer="$2" at_time="$3"
    openssl verify -attime "$at_time" -CAfile "$signer" "$signed"
    return $?
}

However, the exit code for openssl verify does not reflect the validity of the given certificate, but (as far as I understand it) if the command failed to perform the check.

How would one go about rewriting is_cert_valid so that it becomes usable in bash if statements? Assuming such thing is possible without using other programming languages like python or c.

Facundo
  • 131
  • 1
  • 8
  • I don't think this is really a programming question, but if you only care about expiration and not other kinds of invalidity like revocation, see https://stackoverflow.com/questions/21297853/how-to-determine-ssl-cert-expiration-date- (also marked offtopic) – dave_thompson_085 Nov 14 '18 at 03:42

1 Answers1

0

This method works for validating partial chains and the parsing part is quite trivial. It also works for CAs, just pass the same certificate for the signer and the signed. 

is_cert_valid () {
    local signer="$1" signed="$2" at_time_offset="$3" output
    if output="$(openssl verify \
                    -CApath /dev/null \
                    -attime "$(( "$at_time_offset" + "$(date +%s)" ))" \
                    -partial_chain \
                    -trusted "$signer" \
                    "$signed" \
            )" && 
        [[ "$output" == "$signed: OK" ]]; then
        return 0
    fi
    return 1
}
Facundo
  • 131
  • 1
  • 8