Check Certificate Revocation List

I couldn’t find any existing CRL check that worked that could hit a URL and check the next update time on a CRL file. Also I didn’t want to use any weird libraries other than curl and openssl. So I wrote this.

Download the script

Usage: ./check_crl_url -U <url> -w <days> -c <days>

Expected output looks like this:

CRL OK: Expires in 4 Day(s) 21 Hour(s) 55 Minute(s) 24 Second(s).

  6 comments for “Check Certificate Revocation List

  1. 2015-05-11 at 13:34

    i received an error when configure this. error message ‘CRL UNKNOWN: Couldn’t read CRL file. ‘

  2. 2015-05-11 at 14:15

    The url you provide to the the script should be the location of the CRL file.

  3. red
    2015-09-25 at 04:40

    I’ve done that but still unable to get CRL expiry with same error CRL Unknown. the location of CRL is accessible via http. any idea?

    my service
    define service {
    use generic-service
    host_name crl
    service_description Check CRL comodoca PositiveSSLCA2
    check_command check_crl_url!http://EVIntl-crl.verisign.com/EVIntl2006.crl!15!10
    }

    my command
    # ‘check_crl_url’ command definition
    define command{
    command_name check_crl_url
    command_line $USER1$/check_crl_url -U $ARG3$ -w $ARG1$ -c $ARG2$
    }

  4. 2016-05-24 at 23:26

    It looks like you have your command arguments being passed in the wrong order. It seems to be working ok here:

    ./check_crl_url -U http://EVIntl-crl.verisign.com/EVIntl2006.crl -w 15 -c 10
    CRL CRITICAL: Expires in 6 Day(s) 14 Hour(s) 36 Minute(s) 48 Second(s).

  5. Jörgen
    2018-11-20 at 00:15

    Great script, works as intended, unless crit is set to 1 day and the expiry is less than two days, then the logic misses. If I change the if statement
    from: if [ “$DAYS” -lt “$CRIT_DAYS” ];
    to: if [ “$DAYS” -le “$CRIT_DAYS” ];
    the check works, but the side effect is that if the expiry date is 1 day 23 hours it gives crit error ef -c is set to 1

    Need more logic that uses hours and minutes also.

  6. Jörgen
    2018-11-20 at 00:46

    Maybe this will work (the warn if)?

    if [ “$DAYS” -gt “$CRIT_DAYS” ] && [ “$DAYS” -lt “$WARN_DAYS” ] || ( [ “$DAYS” -eq 1 ] && [ “$HOURS” -gt 0 ] && [ “$MINUTES” -gt 0 ] && [ “$SECONDS” -gt 0 ]);

    This in addition to my previous comment will catch the corner case where crit is 1 and expiry is 1 hour 23 min 12 sec

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.