One of our Web servers was rendered almost useless for clients because the Certificate Revocation List we have on it, expired. To avoid that happening again, I decided to implement a check for the CRL expiry as a Nagios (respectively Icinga) plugin.
I grabbed the OpenSSL source code, and in the
apps/ directory, I used
the code of
crl.c as a base for a small program which retrieves the
nextUpdate time of the CRL and returns it as a Unix timestamp from
which I can then do a simple bit of arithmetic to check when the CRL expires.
The rest is simply a matter of the program returning an appropriate exit code for Nagios to display OK, Warning or Critical as appropriate.