Provided by: nagios-plugins-contrib_25.20191015+1ubuntu1_amd64 
NAME
check_ssl_cert - checks the validity of X.509 certificates
SYNOPSIS
check_ssl_cert -H host [OPTIONS]
DESCRIPTION
check_ssl_cert A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
ARGUMENTS
-H,--host host
server
OPTIONS
-A,--noauth
ignore authority warnings (expiration only)
--altnames
matches the pattern specified in -n with alternate names too
-C,--clientcert path
use client certificate to authenticate
--clientpass phrase
set passphrase for client certificate.
-c,--critical days
minimum number of days a certificate has to be valid to issue a critical status
--curl-bin path
path of the curl binary to be used
--curl-user-agentstring
user agent that curl shall use to obtain the issuer cert
-d,--debug
produces debugging output
--ecdsa
cipher selection: force ECDSA authentication
-e,--email address
pattern to match the email address contained in the certificate
-f,--file file
local file path (works with -H localhost only) with -f you can not only pass a x509
certificate file but also a certificate revocation list (CRL) to check the validity
period
--file-bin path
path of the file binary to be used
--fingerprint SHA1
pattern to match the SHA1-Fingerprint
--force-perl-date
force the usage of Perl for date computations
--format FORMAT
custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'")
-h,--help,-?
this help message
--http-use-get
use GET instead of HEAD (default) for the HTTP related checks
--ignore-exp
ignore expiration date
--ignore-ocsp
do not check revocation with OCSP
--ignore-sig-alg
do not check if the certificate was signed with SHA1 or MD5
--ignore-ssl-labs-cache
Forces a new check by SSL Labs (see -L)
--issuer-cert-cache dir
directory where to store issuer certificates cache
-i,--issuer issuer
pattern to match the issuer of the certificate
-K,--clientkey path
use client certificate key to authenticate
-L,--check-ssl-labs grade
SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)
--check-ssl-warn-labs grade
SSL Labs grade on which to warn
--long-output list
append the specified comma separated (no spaces) list of attributes to the plugin
output on additional lines. Valid attributes are: enddate, startdate, subject,
issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include
all the available attributes.
-n,--cn name
pattern to match the CN of the certificate (can be specified multiple times)
--no_ssl2
disable SSL version 2
--no_ssl3
disable SSL version 3
--no_tls1
disable TLS version 1
--no_tls1_1
disable TLS version 1.1
--no_tls1_3
disable TLS version 1.3
--no_tls1_2
disable TLS version 1.2
-N,--host-cn
match CN with the host name
--ocsp-critical hours
minimum number of hours an OCSP response has to be valid to issue a critical status
--ocsp-warning hours
minimum number of hours an OCSP response has to be valid to issue a warning status
-o,--org org
pattern to match the organization of the certificate
--openssl path
path of the openssl binary to be used
-p,--port port
TCP port
-P,--protocol protocol
use the specific protocol: ftp, ftps, http (default), imap, imaps, irc, ircs, ldap,
ldaps, pop3, pop3s, smtp, smtps, xmpp.
These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, pop3, smtp.
-s,--selfsigned
allows self-signed certificates
--serial serialnum
pattern to match the serial number
--sni name
sets the TLS SNI (Server Name Indication) extension in the ClientHello message to
'name'
--ssl2
force SSL version 2
--ssl3
force SSL version 3
--require-ocsp-stapling
require OCSP stapling
--require-san
require the presence of a Subject Alternative Name extension
-r,--rootcert cert
root certificate or directory to be used for certificate validation (passed to
openssl's -CAfile or -CApath)
--rootcert-dir dir
root directory to be used for certificate validation (passed to openssl's -CApath)
overrides option -r,--rootcert
--rootcert-file cert
root certificate to be used for certificate validation (passed to openssl's
-CAfile) overrides option -r,--rootcert
--rsa
cipher selection: force RSA authentication
--temp dir
directory where to store the temporary files
--terse
terse output (also see --verbose)
-t,--timeout
seconds timeout after the specified time (defaults to 15 seconds)
--tls1
force TLS version 1
--tls1_1
force TLS version 1.1
--tls1_2
force TLS version 1.2
--tls1_3
force TLS version 1.3
-v,--verbose
verbose output (also see --terse)
-V,--version
version
-w,--warning days
minimum number of days a certificate has to be valid to issue a warning status
--xmpphost name
specifies the host for the "to" attribute of the stream element
-4 forces IPv4
-6 forces IPv6
DEPRECATED OPTIONS
-d,--days days
minimum number of days a certificate has to be valid (see --critical and --warning)
--ocsp
check revocation via OCSP
-S,--ssl version
force SSL version (2,3) (see: --ssl2 or --ssl3)
MULTIPLE CERTIFICATES
If the host has multiple certificates and the installed openssl version supports the
-servername option it is possible to specify the TLS SNI (Server Name Idetificator) with
the -N (or --host-cn) option.
SEE ALSO
x509(1), openssl(1), expect(1), timeout(1)
EXIT STATUS
check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a
critical errors and 3 for unknown problems
BUGS
Please report bugs to:
https://github.com/matteocorti/check_ssl_cert/issues
AUTHOR
Matteo Corti (matteo (at) corti.li ) See the AUTHORS file for the complete list of
contributors