One of our Web servers was rendered almost useless for clients because the Certificate Revocation List we have on it, expired. To avoid that happening again, I decided to implement a check for the CRL expiry as a Nagios (respectively Icinga) plugin.

I grabbed the OpenSSL source code, and in the apps/ directory, I used the code of crl.c as a base for a small program which retrieves the nextUpdate time of the CRL and returns it as a Unix timestamp from which I can then do a simple bit of arithmetic to check when the CRL expires.

The rest is simply a matter of the program returning an appropriate exit code for Nagios to display OK, Warning or Critical as appropriate.

(There exists a Nagios plugin called check_crl, but I don’t like the way the program checks for dates – YMMV. )