A Nagios plugin to check an X.509 certificate:

If you find this plugin useful you can help with a small contribution:


Usage: check_ssl_cert -H host [OPTIONS]

   -H,--host host             server

   -A,--noauth                ignore authority warnings (expiration only)
      --altnames              matches the pattern specified in -n with alternate
                              names too
   -C,--clientcert path       use client certificate to authenticate
      --clientpass phrase     set passphrase for client certificate.
   -c,--critical days         minimum number of days a certificate has to be valid
                              to issue a critical status
   --curl-bin path            path of the curl binary to be used
   --curl-user-agent string   user agent that curl shall use to obtain the issuer cert
   -d,--debug                 produces debugging output
   -e,--email address         pattern to match the email address contained in the
       --ecdsa                cipher selection: force ECDSA authentication
   -f,--file file             local file path (works with -H localhost only)
                              with -f you can not only pass a x509 certificate file
                              but also a certificate revocation list (CRL) to check
                              the validity period
      --file-bin path         path of the file binary to be used
      --fingerprint SHA1      pattern to match the SHA1-Fingerprint
      --force-perl-date       force the usage of Perl for date computations
      --format FORMAT         custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'")
   -h,--help,-?               this help message
      --ignore-exp            ignore expiration date
      --ignore-sig-alg        do not check if the certificate was signed with SHA1
                              or MD5
      --ignore-ocsp           do not check revocation with OCSP
   -i,--issuer issuer         pattern to match the issuer of the certificate
      --issuer-cert-cache dir directory where to store issuer certificates cache
   -L,--check-ssl-labs grade  SSL Labs assestment
                              (please check https://www.ssllabs.com/about/terms.html)
      --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
      --long-output list      append the specified comma separated (no spaces) list
                              of attributes to the plugin output on additional lines
                              Valid attributes are:
                                enddate, startdate, subject, issuer, modulus,
                                serial, hash, email, ocsp_uri and fingerprint.
                              'all' will include all the available attributes.
   -n,--cn name               pattern to match the CN of the certificate (can be
                              specified multiple times)
      --no_ssl2               disable SSL version 2
      --no_ssl3               disable SSL version 3
      --no_tls1               disable TLS version 1
      --no_tls1_1             disable TLS version 1.1
      --no_tls1_2             disable TLS version 1.2
   -N,--host-cn               match CN with the host name
   -o,--org org               pattern to match the organization of the certificate
      --openssl path          path of the openssl binary to be used
   -p,--port port             TCP port
   -P,--protocol protocol     use the specific protocol
                              http:                    default
                              smtp,pop3,imap,ftp,ldap: switch to TLS
   -s,--selfsigned            allows self-signed certificates
      --serial serialnum      pattern to match the serial number
      --sni name              sets the TLS SNI (Server Name Indication) extension
                              in the ClientHello message to 'name'
      --ssl2                  forces SSL version 2
      --ssl3                  forces SSL version 3
      --require-ocsp-stapling require OCSP stapling
      --require-san           require the presence of a Subject Alternative Name
   -r,--rootcert path         root certificate or directory to be used for
                              certificate validation
       --rootcert-dir path    root directory to be used for certificate validation
       --rootcert-file path   root certificate to be used for certificate validation
       --rsa                  cipher selection: force RSA authentication
   -t,--timeout               seconds timeout after the specified time
                              (defaults to 15 seconds)
      --temp dir              directory where to store the temporary files
      --tls1                  force TLS version 1
      --tls1_1                force TLS version 1.1
      --tls1_2                force TLS version 1.2
      --tls1_3                force TLS version 1.3
   -v,--verbose               verbose output
   -V,--version               version
   -w,--warning days          minimum number of days a certificate has to be valid
                              to issue a warning status
      --xmpphost name         specifies the host for the 'to' attribute of the stream element

Deprecated options:
      --days days             minimum number of days a certificate has to be valid
                              (see --critical and --warning)
      --ocsp                  check revocation via OCSP
   -S,--ssl version           force SSL version (2,3)
                              (see: --ssl2 or --ssl3)

Report bugs to https://github.com/matteocorti/check_ssl_cert/issues


check_ssl_cert requires 'expect' to enable timouts. If expect is not present on your system timeouts will be disabled.

See: http://en.wikipedia.org/wiki/Expect

Perl and Date::Parse

If perl and Date::Parse are available the plugin will also compute for how many days the certificate will be valid and put the information in the performance data. If perl or Date::Parse are not available the information will not be available.

Virtual servers

check_ssl_client supports the servername TLS extension in ClientHello if the installed openssl version provides it. This is needed if you are checking a machine with virtual hosts.

SSL Labs

If -L or --check-ssl-labs are specified the plugin will check the cached status using the SSL Labs Assessment API.

The plugin will ask for a cached result (maximum age 1 day) to avoid to many checks. The first time you issue the check you could therefore get an outdated result.


the root certificate corresponding to the checked certificate must be available to openssl or specified with the '-r cabundle' or '--rootcert cabundle' option, where cabundle is either a file for -CAfile or a directory for -CApath.

On Mac OS X the root certificates bundle is stored in the Keychain and openssl will complain with:

verification error: unable to get local issuer certificate

The bundle can be extracted with:

$ sudo security find-certificate -a \
    -p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt