ssl_status.1

.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.if !\nF .nr F 0
.if \nF>0 \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    if !\nF==2 \{\
.        nr % 0
.        nr F 2
.    \}
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_STATUS 1"
.TH SSL_STATUS 1 "06-Mar-2025" "" "Certificate Tools"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "SSL_STATUS"
.IX Header "SSL_STATUS"
ssl_status \- check the certificate status for hosts and files
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
ssl_status [options] [host[:port] ...] [file:FILE] [@file...]
.PP
.Vb 10
\& Options:
\&   \-\-brief              Abbreviate report
\&   \-\-CAfile=file        Specify bundle file of trusted CA certificates for verification
\&   \-\-CApath=dir         Specify a hashed directory containing trusted CA certificates for verification.
\&   \-\-email\-to=list      Specify email address(es) to receive reports
\&   \-\-email\-from=addr    Specify email address sending reports
\&   \-\-format=type        Specify report format
\&   \-\-initit=file        Read options from file
\&   \-\-no\-init            Inhibits reading the initialization file
\&   \-\-logo=file|url      Replaces the built\-in logo in HTML reports.
\&   \-\-pretend\-its=days   Adjust today by #days \- +/\-
\&   \-\-renewbefore=days   Specify days before expiration that certificates should renew.
\&   \-\-select=sections    Specify the report sections to produce
\&   \-\-smtp\-server=host   Specify host/host:port for SMTP server for sending e\-mail
\&   \-\-smtp\-username=user Specify username for authentication with SMTP server
\&   \-\-smtp\-password=pass Specify password for authentication with SMTP server
\&   \-\-smtp\-ssl_mode=key  Specify whether SSL is used for SMTP server connection
\&   \-\-starttls=proto     Specify that STARTTLS should be used in the connection.
\&   \-\-stylesheet\-file    Specify additional CSS for HTML reports
\&   \-\-timeout            Specify timeout for connections
\&   \-\-tlsversion=ver     Specify the version of TLS to connect with
\&   \-\-type=type          Specify the certificate type desired from the server
\&   \-\-[no\-]warnings      Display or suppress warnings
\&   \-\-help               brief help message
\&   \-\-man                full documentation
.Ve
.SH "OPTIONS"
.IX Header "OPTIONS"
All options can be specified on the command line and in initialization files.
.PP
Indirect command files (\fI\f(CI@file\fI\fR) support a subset of the options that affect how \fIssl_status\fR
connects to systems and what certificates are requested. Thes options are marked \fI\f(CI@file\fI\fR below.
When used in an indrect command file, they affect only systems mentioned on the same (possibly
continued) line on which they occur.  When used on the command line or initialization file,
they affect systems listed there, and also serve as defaults for systems lised in indirect command
files.
.IP "\fB\-\-brief\fR \fB\-\-no\-brief\fR" 8
.IX Item "--brief --no-brief"
Abbreviate report contents for easier reading (default).  Use \fB\-\-no\-brief\fR if output will be parsed by a script.
.Sp
Currently, \fB\-\-brief\fR avoids repeating the hostname in adjacent rows, but this may be changed.
Note that if a host's certificates expire on different dates, data from other hosts may prevent
abbreviation.
.IP "\fB\-\-CAfile\fR=\fIfile\fR \fB\-\-no\-CAfile\fR" 8
.IX Item "--CAfile=file --no-CAfile"
Specify a file containing one or more trusted \s-1CA\s0 certificates to verify the host's certificate chain.
.Sp
If not specified, the environment variables \s-1SSL_CERT_FILE\s0 and \s-1CURL_CA_BUNDLE\s0 will be tried, and if neither of them is set, OpenSSL's default will be used.
.Sp
If \fB\-\-no\-CAfile\fR is specified, the environment variables are ignored and the system default is used.
.IP "\fB\-\-CApath\fR=\fIdir\fR \fB\-\-CAdir\fR=\fIdir\fR \fB\-\-no\-CApath\fR \fB\-\-no\-CAdir\fR \fI\f(CI@file\fI\fR" 8
.IX Item "--CApath=dir --CAdir=dir --no-CApath --no-CAdir @file"
Specify a directory containing hashed links to one or more trusted \s-1CA\s0 certificates to verify the host's certificate chain.
.Sp
If not specified, the environment variable \s-1SSL_CERT_DIR\s0 will be tried.  If it is not set, OpenSSL's default will be used.
.Sp
If \fB\-\-no\-CApath\fR or \fB\-\-no\-CAdir\fR is specified, the environment variables are ignored and the system default is used.
.IP "\fB\-\-email\-to\fR=\fIlist\fR \fB\-\-no\-email\fR" 8
.IX Item "--email-to=list --no-email"
When generating e\-mails, send to this (comma separated) list.  May be specified more than once.
.IP "\fB\-\-email\-from\fR=\fIaddress\fR \fB\-\-no\-email\-from\fR" 8
.IX Item "--email-from=address --no-email-from"
When generating e\-mails, use this address as the sender.  This is a privileged operation that may not be supported
in some environments.
.Sp
If not specified, the mailer will generate a default sender address, usually based on the user under which it is running.
.IP "\fB\-\-format\fR=\fItype\fR" 8
.IX Item "--format=type"
Generate a report in the specified format: \fItext\fR, \fI\s-1MIME\s0\fR,  or \fI\s-1HTML\s0\fR.
.Sp
\&\fI\s-1MIME\s0\fR includes both text and \s-1HTML\s0 in \s-1MIME\s0 format, and is implied by \fI\-\-email\-to\fR.
.Sp
The default is \fItext\fR.
.IP "\fB\-\-initialization\-file\fR=\fI\s-1FILE\s0\fR" 8
.IX Item "--initialization-file=FILE"
Read \fI\s-1FILE\s0\fR instead of the default initialization file.  \fI\s-1FILE\s0\fR must exist.
.IP "\fB\-\-no\-init\fR" 8
.IX Item "--no-init"
Inhibits reading the initialization file, which (when present) supplies command arguments that are processed before
what is typed on the command line.
.IP "\fB\-\-logo\fR=\fI\s-1FILE\s0\fR \fB\-\-logo\fR=\fI\s-1URL\s0\fR" 8
.IX Item "--logo=FILE --logo=URL"
By default, \s-1HTML\s0 output includes a logo and heading.  You can replace the built-in logo by specifying a \fIpng\fR, \fIjpg\fR, or \fIsvg\fR file.
.Sp
If you don't want the logo and heading, use \fB\-\-no\-logo\fR.
.IP "\fB\-\-pretend\-its\fR=\fIdays\fR" 8
.IX Item "--pretend-its=days"
Adjust the current time by \fIdays\fR (use + to advance, \- to go back).
.Sp
Advancing makes future certificate expirations closer (and overdue times longer), while
going back can make expired certificates seem unexpired (or less overdue).
.Sp
Used for testing expiration warnings/actions.
.IP "\fB\-\-renewbefore\fR=\fIdays\fR \fI\f(CI@file\fI\fR" 8
.IX Item "--renewbefore=days @file"
Specifes the number of days before expiration that certificates should renew.
.Sp
Default is 30.
.IP "\fB\-\-select\fR\-\fIsections\fR" 8
.IX Item "--select-sections"
Specifies which report section(s) are to be produced.
.Sp
Any or all of: \fIsummary\fR, \fIexpired\fR, \fIinvalid\fR, \fIrenewals\fR
.IP "\fB\-\-smtp\-server\fR=\fI=host\fR" 8
.IX Item "--smtp-server==host"
Specify host/host:port for \s-1SMTP\s0 server for sending e\-mail.
.Sp
For unprotected \s-1SMTP\s0 or \s-1STARTTLS,\s0 the port is usually 587 or 25.  For direct \s-1SSL, 465.\s0
.Sp
The port will default to 25 or 465 depending on \fI\-\-smtp\-ssl\-mode\fR.
.Sp
If specified more than once, or a comma-separated list is specified, the first available server will be used.
.IP "\fB\-\-smtp\-username\fR=\fIuser\fR" 8
.IX Item "--smtp-username=user"
Specify username for authentication with \s-1SMTP\s0 server.
.IP "\fB\-\-smtp\-password\fR=\fIpass\fR" 8
.IX Item "--smtp-password=pass"
Specify password for authentication with \s-1SMTP\s0 server.
.IP "\fB\-\-smtp\-ssl_mode\fR=\fIkey\fR" 8
.IX Item "--smtp-ssl_mode=key"
Specify whether \s-1SSL/TLS\s0 is used for \s-1SMTP\s0 server connection.
.Sp
\&\fIkey\fR is \fBno\fR for unprotected \s-1SMTP\s0 (port 25), \fByes\fR for direct \s-1SSL\s0 (port 465), or \fBstarttls\fR (port 25) for
upgrading an unprotected \s-1SMTP\s0 connection to \s-1TLS\s0 with the \fIstarttls\fR command.
.Sp
If an explict port (e.g. 587) is specified, it will be used.
.Sp
The default is to use direct \s-1SSL\s0 if port 465/smtps is specified, otherwise to attempt \s-1STARTTLS\s0 if the server supports it.
.IP "\fB\-\-starttls\fR=\fIprotocol\fR \fI\f(CI@file\fI\fR" 8
.IX Item "--starttls=protocol @file"
Specifies that \s-1STARTTLS\s0 is required to make the \s-1TLS\s0 connection used to verify a host.
.Sp
\&\fIprotocol\fR is one of the following:  \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R", \*(L"xmpp\*(R",
           \*(L"xmpp-server\*(R", \*(L"irc\*(R", \*(L"postgres\*(R", \*(L"mysql\*(R", \*(L"lmtp\*(R", \*(L"nntp\*(R", \*(L"sieve\*(R", or \*(L"ldap\*(R"
.IP "\fB\-\-stylesheet\fR=\fI\s-1FILE\s0\fR" 8
.IX Item "--stylesheet=FILE"
Adds the contents of \fI\s-1FILE\s0\fR to the \s-1CSS\s0 stylesheet embedded with \s-1HTML\s0 reports.
.IP "\fB\-\-timeout\fR=\fIsecs\fR \fI\f(CI@file\fI\fR" 8
.IX Item "--timeout=secs @file"
Speciries the maximum amount of time that \fIssl_status\fR will wait for a \s-1TLS\s0 connection.
.Sp
The default is 120 seconds.
.IP "\fB\-\-tlsversion\fR=\fIversion\fR \fI\f(CI@file\fI\fR" 8
.IX Item "--tlsversion=version @file"
Specifies the \s-1TLS\s0 protocol version to use: 1.1, 1.2, or 1.3.  Note that 1.3 does not support
\&\s-1RSA\s0 certificates.
.IP "\fB\-\-type\fR=\fItype\fR \fI\f(CI@file\fI\fR" 8
.IX Item "--type=type @file"
Specify that an \fIec\fR (\fIecdsa\fR) or \fIrsa\fR certificate is desired.  Can specify more than one, in which case
both will be requested.  If not specified and the server has more than one, the server decides.
.IP "\fB\-\-[no\-]warnings\fR" 8
.IX Item "--[no-]warnings"
Controls whether warning messages are displayed.  The default is \fB\-\-warnings\fR.
.Sp
Warnings include duplicated files and hosts, which are skipped, and other recoverable conditions.
.IP "\fB\-\-help\fR" 8
.IX Item "--help"
Print a brief help message and exits.
.IP "\fB\-\-man\fR" 8
.IX Item "--man"
Prints the manual page and exits.
.PP
When options require keyword values, the keyword may be abbreviated providing that the abbreviation is unique.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBssl_status\fR will connect to each host specified and obtain its certificate and any intermediate certificate chain.
.PP
Port can be numeric, or a service name (e.g. from /etc/services).
.PP
If a port is not specified: if \-\-starttls is specified, the default port for the \s-1STARTTLS\s0 protocol is used, otherwise 443 (https) is assumed.
.PP
If the port is specified as \fI\s-1FILE\s0\fR, \fBssl_status\fR will open the specified file and process it as if the certificates were received from a server.
The certificate chain must be in \s-1PEM\s0 format.  If a filename begins with '.', '/', or '~', or if it contains a '/', the \fI:FILE\fR is inferred, since
no \s-1DNS\s0 hostname or \s-1IP\s0 address can have those forms.
.PP
If an argument is of the form \fI\f(CI@file\fI\fR, the file is processed as a list of commands, one per line, in any of the forms described previously.
A line can contain one or more hosts as well as options that apply only to the hosts on that line.
.PP
The host-specific options that can be specified in an \fI\f(CI@file\fI\fR are: \fI\-\-CAfile\fR, \fI\-\-CApath\fR, \fI\-\-renewefore\fR, \fI\-\-starttls\fR, \fI\-\-timout\fR, \fI\-\-tlsversion\fR, and \fI\-\-type\fR.
If these are specified on the command line (or equivalently, in an initialization file), they will be used as defaults for
\&\fI\f(CI@file\fI\fR hosts.  Options can be negated \- e.g. if most hosts are dual-certificate, you might use \fI\-\-type=ec,rsa\fR on the command line, and
exclude a single host in an \fI\f(CI@file\fI\fR with \fI\-\-type=rsa\fR or \fI\-\-no\-type\fR.  Options specified in an \fI\f(CI@file\fI\fR only apply to the
line on which the occur.  However, lines can be continued using a \e (backslash) as the last character of a line.
.PP
\&\fI\f(CI@file\fI\fRs can be nested, but attempting to process the same file more than once is an error.  In an \fI\f(CI@file\fI\fR, blank lines and lines beginning with \fI#\fR are ignored.
.PP
\&\fI\s-1FILE\s0\fR and \fI\f(CI@file\fI\fR names support tilde expansion, but not wildcards.
.PP
The validity dates of each certificate returned will be verified, as will its chain.
.PP
To request the desired certificate from  dual-certificate servers, you can specify \fB\-\-type\fR=\fIec\fR or \fB\-\-type\fR=\fIrsa\fR.
This is done by providing a list of acceptable signature algorithms; the connecion will fail if the server doesn't have a matching certificate.
.PP
To restrict the server connection type, specify \fB\-\-ip\-version=\fR\fI4|6\fR
.PP
You can also specify \fB\-\-tlsversion\fR=\fI1.1\fR, \fB\-\-tlsversion\fR=\fI1.2\fR, or \fB\-\-tlsversion\fR=\fI1.3\fR to select the protocol version.
.PP
Each certificate is analyzed in the order received from the server or contained in the file, which should be from leaf (the server) toward the root (trusted \s-1CA\s0).
The trust root is not sent by the server, but is located by OpenSSL via \-CAfile or \-CApath.
.PP
Any date or verification errors will be reported.
.PP
Note that if a trusted (root) certificate has expired, only the root name is available.
.PP
The default output is a table, ordered by days until expiration, summarizing the status of each
host/file's certificate.  Typically, one would run this weekly in order to make sure
that certificates are being renewed.  The analysis is similar to \fBssl_check_chain\fR,
but the result is condensed to one (or with long filenames, two) lines per host.
.PP
The \fB\-\-select\fR option allows you to select other output.
.PP
The default output format is plain text.  \s-1HTML\s0 can be selected \- for example, if you wish to provide the output as a web page.  \s-1MIME\s0 is used when the output is e\-mailed.
.PP
You can specify common options in an initialization file, which is processed before the command line.
.PP
The initialization file for Unix systems is the first of \fI./.ssl_status\fR, \fI\f(CI$HOME\fI/.ssl_status\fR, \fI/etc/sysconfig/ssl_status\fR, and \fI/etc/default/ssl_status\fR.
.PP
For Windows systems: \fI.\e.ssl_status.ini\fR, \fI\f(CI%HOMEDRIVE\fI%%HOMEPATH%\e.ssl_status.ini\fR, \fI\f(CI%SSLSTATUS\fI%\essl_status.ini\fR.
.PP
For \s-1VMS\s0 systems: \fISYS$DISK:[]ssl_status.ini\fR, \fISYS$LOGIN:ssl_status.ini\fR, \fISYS$SYSTEM:ssl_status.ini\fR.
.PP
For any other system: \fI./.ssl_status\fR
.PP
Comments (beginning with \fI#\fR) are ignored, and the contents  are treated as though they were typed on the
command line \- with the same quoting rules.
.PP
Should you wish to override the options in the initialization file, you can specify the
\&\fB\-\-no\-init\fR option on the command line.  \fB\-\-initialization\-file\fR specifies an alternative file.
.SH "BUGS"
.IX Header "BUGS"
Report any bugs, feature requests and/or patches on the issue tracker,
located at \fIhttps://github.com/tlhackque/certtools/issues\fR.  In the
event that the project moves, contact the author directly.
.SH "AUTHOR"
.IX Header "AUTHOR"
Timothe Litt  <litt@acm.org>
.SH "COPYRIGHT and LICENSE"
.IX Header "COPYRIGHT and LICENSE"
Copyright (c) 2021\-2025 Timothe Litt
.PP
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the \*(L"Software\*(R"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
.PP
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
.PP
\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.\s0
.PP
Except as contained in this notice, the name of the author shall not be
used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization from the author.
.PP
Any modifications to this software must be clearly documented by and
attributed to their author, who is responsible for their effects.
.PP
Bug reports, suggestions and patches are welcomed by the original author.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fI\fIopenssl\fI\|(1)\fR
.PP
\&\fI\s-1POD\s0 version \f(CI$Id$\fR