One of our Web servers was rendered almost useless for clients because the Certificate Revocation List we have on it, expired. To avoid that happening again, I decided to implement a check for the CRL expiry as a Nagios (respectively Icinga) plugin.
I grabbed the OpenSSL source code, and in the apps/
directory, I used
the code of crl.c
as a base for a small program which retrieves the
nextUpdate
time of the CRL and returns it as a Unix timestamp from
which I can then do a simple bit of arithmetic to check when the CRL expires.
The rest is simply a matter of the program returning an appropriate exit code for Nagios to display OK, Warning or Critical as appropriate.
(There exists a Nagios plugin called check_crl, but I don’t like the way the program checks for dates – YMMV. )