|
 |
4418f4 |
|
|
|
4418f4 |
|
|
|
4418f4 |
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
|
4418f4 |
|
|
|
4418f4 |
|
|
|
4418f4 |
|
|
|
4418f4 |
|
|
|
4418f4 |
]>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refentry>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refentryinfo>
|
|
|
4418f4 |
<date>&dat;;</date>
|
|
|
4418f4 |
<title>Cryptography Utilities</title>
|
|
|
4418f4 |
<productname>crypto-utils</productname>
|
|
|
4418f4 |
<productnumber>&version;</productnumber>
|
|
|
4418f4 |
</refentryinfo>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refmeta>
|
|
|
4418f4 |
<refentrytitle>certwatch</refentrytitle>
|
|
|
4418f4 |
<manvolnum>1</manvolnum>
|
|
|
4418f4 |
</refmeta>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refnamediv>
|
|
|
4418f4 |
<refname>certwatch</refname>
|
|
|
4418f4 |
<refpurpose>generate SSL certificate expiry warnings</refpurpose>
|
|
|
4418f4 |
</refnamediv>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refsynopsisdiv>
|
|
|
4418f4 |
<cmdsynopsis>
|
|
|
4418f4 |
<command>certwatch</command>
|
|
|
4418f4 |
<arg choice="opt">OPTION...</arg>
|
|
|
4418f4 |
<arg choice="plain"><replaceable>filename</replaceable></arg>
|
|
|
4418f4 |
</cmdsynopsis>
|
|
|
4418f4 |
</refsynopsisdiv>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refsect1>
|
|
|
4418f4 |
<title>Description</title>
|
|
|
4418f4 |
|
|
|
4418f4 |
<para>The <command>certwatch</command> program is used to issue
|
|
|
4418f4 |
warning mail when an SSL certificate is about to expire.</para>
|
|
|
4418f4 |
|
|
|
4418f4 |
<para>The program has two modes of operation: normal mode and
|
|
|
4418f4 |
quiet mode. In normal mode, the certificate given by the
|
|
|
4418f4 |
<replaceable>filename</replaceable> argument is examined, and a
|
|
|
4418f4 |
warning email is issued to standard output if the certificate is
|
|
|
4418f4 |
outside its validity period, or approaching expiry. If the
|
|
|
4418f4 |
certificate cannot be found, or any errors occur whilst parsing
|
|
|
4418f4 |
the certificate, the certificate is ignored and no output is
|
|
|
4418f4 |
produced. In quiet mode, no output is given, but the exit status
|
|
|
4418f4 |
can still be used.</para>
|
|
|
4418f4 |
|
|
|
4418f4 |
<para>The certificate can be specified by its nickname or by a
|
|
|
4418f4 |
path to the containing file.</para>
|
|
|
4418f4 |
|
|
|
4418f4 |
</refsect1>
|
|
|
4418f4 |
|
|
|
4418f4 |
|
|
|
4418f4 |
<refsect1>
|
|
|
4418f4 |
<title>Options</title>
|
|
|
4418f4 |
|
|
|
4418f4 |
<variablelist>
|
|
|
4418f4 |
|
|
|
4418f4 |
<varlistentry>
|
|
|
4418f4 |
<term><option>--quiet</option>, <option>-q</option></term>
|
|
|
4418f4 |
|
|
|
4418f4 |
<listitem><simpara>Enable quiet mode; no output is produced
|
|
|
4418f4 |
whether the certificate is expired or not</simpara></listitem>
|
|
|
4418f4 |
</varlistentry>
|
|
|
4418f4 |
|
|
|
4418f4 |
<varlistentry>
|
|
|
4418f4 |
<term><option>--period <replaceable>days</replaceable></option>,
|
|
|
4418f4 |
<option>-p <replaceable>days</replaceable></option></term>
|
|
|
4418f4 |
|
|
|
4418f4 |
<listitem><simpara>Specify the number of days within which an
|
|
|
4418f4 |
expiry warning will be produced; default is 30. Expiry
|
|
|
4418f4 |
warnings are always produced if, on the day of invocation, the
|
|
|
4418f4 |
certificate is not yet valid, has already expired, or is due
|
|
|
4418f4 |
to expire either that day or the following
|
|
|
4418f4 |
day.</simpara></listitem>
|
|
|
4418f4 |
</varlistentry>
|
|
|
4418f4 |
|
|
|
4418f4 |
<varlistentry>
|
|
|
4418f4 |
<term><option>--address <replaceable>address</replaceable></option>,
|
|
|
4418f4 |
<option>-a <replaceable>address</replaceable></option></term>
|
|
|
4418f4 |
|
|
|
4418f4 |
<listitem><simpara>Specify the address used in the To field of
|
|
|
4418f4 |
the warning e-mail issued if quiet mode is not enabled. The
|
|
|
4418f4 |
default is <literal>root</literal>.</simpara></listitem>
|
|
|
4418f4 |
</varlistentry>
|
|
|
4418f4 |
|
|
|
4418f4 |
<varlistentry>
|
|
|
4418f4 |
<term><option>--directory <replaceable>cert-directory</replaceable></option>,
|
|
|
4418f4 |
<option>-d <replaceable>cert-directory</replaceable></option></term>
|
|
|
4418f4 |
|
|
|
4418f4 |
<listitem><simpara>Specify the database directory containing the certificate
|
|
|
4418f4 |
and key database files. The default is yet to be determined.</simpara></listitem>
|
|
|
4418f4 |
</varlistentry>
|
|
|
4418f4 |
|
|
|
4418f4 |
</variablelist>
|
|
|
4418f4 |
</refsect1>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refsect1>
|
|
|
4418f4 |
<title>Diagnostics</title>
|
|
|
4418f4 |
|
|
|
4418f4 |
<para>The exit code indicates the state of the certificate:</para>
|
|
|
4418f4 |
|
|
|
4418f4 |
<variablelist>
|
|
|
4418f4 |
<varlistentry>
|
|
|
4418f4 |
<term><emphasis>0</emphasis></term>
|
|
|
4418f4 |
|
|
|
4418f4 |
<listitem><simpara>The certificate is outside its validity
|
|
|
4418f4 |
period, or approaching expiry</simpara></listitem>
|
|
|
4418f4 |
</varlistentry>
|
|
|
4418f4 |
|
|
|
4418f4 |
<varlistentry>
|
|
|
4418f4 |
<term><emphasis>1</emphasis></term>
|
|
|
4418f4 |
|
|
|
4418f4 |
<listitem><simpara>The certificate is inside its validity
|
|
|
4418f4 |
period, or could not be parsed</simpara></listitem>
|
|
|
4418f4 |
</varlistentry>
|
|
|
4418f4 |
</variablelist>
|
|
|
4418f4 |
</refsect1>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refsect1>
|
|
|
4418f4 |
<title>Notes</title>
|
|
|
4418f4 |
|
|
|
4418f4 |
<para>The <command>certwatch</command> program is run daily by
|
|
|
4418f4 |
<command>crond</command> from the file
|
|
|
4418f4 |
<filename>/etc/cron.daily/certwatch</filename> to generate warning
|
|
|
4418f4 |
mail concerning the imminent expiry of SSL certificates configured
|
|
|
4418f4 |
for use in the Apache HTTP server. These warnings can be disabled
|
|
|
4418f4 |
by adding the line: <literal>NOCERTWATCH=yes</literal> to the file
|
|
|
4418f4 |
<filename>/etc/sysconfig/httpd</filename>. Additional options to
|
|
|
4418f4 |
pass to <command>certwatch</command> can be specified in that file
|
|
|
4418f4 |
in the <literal>CERTWATCH_OPTS</literal> environment
|
|
|
4418f4 |
variable.</para>
|
|
|
4418f4 |
|
|
|
4418f4 |
</refsect1>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refsect1>
|
|
|
4418f4 |
<title>Files</title>
|
|
|
4418f4 |
|
|
|
4418f4 |
<para><filename>/etc/cron.daily/certwatch</filename>,
|
|
|
4418f4 |
<filename>/etc/sysconfig/httpd</filename></para>
|
|
|
4418f4 |
</refsect1>
|
|
|
4418f4 |
|
|
|
4418f4 |
<refsect1>
|
|
|
4418f4 |
<title>See also</title>
|
|
|
4418f4 |
|
|
|
4418f4 |
<para>genkey(1)</para>
|
|
|
4418f4 |
</refsect1>
|
|
|
4418f4 |
|
|
|
4418f4 |
</refentry>
|