.\" Process this file with
.\" groff -man -Tascii foo.1
.\"
.TH "check_ssl_cert" 1 "October, 2014" "1.17.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
.BR "check_ssl_cert " "-H host [OPTIONS]"
.SH DESCRIPTION
.B check_ssl_cert
A Nagios plugin to check an X.509 certificate:
 - checks if the server is running and delivers a valid certificate
 - checks if the CA matches a given pattern
 - checks the validity
.SH ARGUMENTS
.TP
.BR "-H,--host" " host"
server
.SH OPTIONS
.TP
.BR "-A,--noauth"
ignore authority warnings (expiration only)
.TP
.BR "   --altnames"
matches the pattern specified in -n with alternate names too
.TP
.BR "-C,--clientcert" " path"
use client certificate to authenticate
.TP
.BR "   --clientpass" " phrase"
set passphrase for client certificate.
.TP
.BR "-c,--critical" " days"
minimum number of days a certificate has to be valid to issue a critical status
.TP
.BR "-e,--email" " address"
pattern to match the email address contained in the certificate
.TP
.BR "-f,--file" " file"
local file path (works with -H localhost only)
.TP
.BR "-h,--help,-?"
this help message
.TP
.BR "--long-output" " list"
append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines.
Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
.TP
.BR "-i,--issuer" " issuer"
pattern to match the issuer of the certificate
.TP
.BR "-n,---cn" " name"
pattern to match the CN of the certificate
.TP
.BR "-N,--host-cn"
match CN with the host name
.TP
.BR "--ocsp"
check revocation via OCSP
.TP
.BR "-o,--org" " org"
pattern to match the organization of the certificate
.TP
.BR "   --openssl" " path"
path of the openssl binary to be used
.TP
.BR "-p,--port" " port"
TCP port
.TP
.BR "-P,--protocol" " protocol"
use the specific protocol: http (default) or smtp,pop3,imap,ftp (switch to TLS)
.TP
.BR "-s,--selfsigned"
allows self-signed certificates
.TP
.BR "-S,--ssl" " version"
force SSL version (2,3)
.TP
.BR "-r,--rootcert" " cert"
root certificate or directory to be used for certficate validation (passed to openssl's -CAfile or -CApath)
.TP
.BR "-t,--timeout"
seconds timeout after the specified time (defaults to 15 seconds)
.TP
.BR "--temp" " dir"
directory where to store the temporary files
.TP
.BR "--tls1"
force TLS version 1
.TP
.BR "-v,--verbose"
verbose output
.TP
.BR "-V,--version"
version
.TP
.BR "-w,--warning" " days"
minimum number of days a certificate has to be valid to issue a warning status
.SH DEPRECATED OPTIONS
.TP
.BR "-d,--days" " days"
minimum number of days a certificate has to be valid (see --critical and --warning)

.SH "SEE ALSO"
x509(1), openssl(1), expect(1), timeout(1)
.SH "EXIT STATUS"
check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems
.SH BUGS
Please report bugs to: Matteo Corti (matteo.corti (at) id.ethz.ch)

.SH AUTHOR
Matteo Corti (matteo.corti (at) id.ethz.ch)
See the AUTHORS file for the complete list of contributors