0

I have in the past made a list of all the alias's that were expired and then made a forloop in CMD to then go through and remove all of them but I was wondering if anyone knew of a perl script or anything that would both find the expired certs then remove them

Crypto
  • 3
  • 1
  • 2

1 Answers1

0

I was thinking about writing a way to do this in PowerShell but someone already wrote this in bash which would probably be more relevant for you.

Essentially you need to run keytool -list -v which outputs verbose details of certificates in the particular keystore. Once you have that you need to write a script that reads through the output and determines which certificates are expired. Once you have information on which certificates are expired you build an array and then delete all of the certificates added to the array.

This is an example script.

You could change the line that starts with

echo "[WARNING]

to

keytool -delete -alias
user5870571
  • 2,900
  • 2
  • 11
  • 33
  • I'm unable to get this to work on OSX, it keeps complaining about the $TIMEOUT before keytool. Additionally for OSX or I would also assume windows I had to add -storepass before $PASSWORD. When I completely remove the $TIMEOUT it outputs that every cert in there has the same amount of days before expiration (-17329 days), any ideas? – Crypto Mar 15 '17 at 18:17
  • Removing variable $TIMEOUT from the value of KEYTOOL should not cause a problem. [http://man7.org/linux/man-pages/man1/timeout.1.html](http://man7.org/linux/man-pages/man1/timeout.1.html). -storepass is used to change a keystore password. to authenticate to the keystore you just pass the password after you provide the keystore. – user5870571 Mar 15 '17 at 18:44
  • Yeah I know how to use keytool traditionally but as I mentioned when I run this script with the -storepass in place and the $TIMEOUT removed it show like every single certificate is expiring on the same day when that in fact is not the case – Crypto Mar 15 '17 at 20:26
  • Are you alright with sharing the output? – user5870571 Mar 15 '17 at 20:38
  • "Looking for certificates inside the keystore centinel.keystore expiring in 1 day(s)... [WARNING] Certificate **** expires in 'Fri May 09 08:45:27 EDT 2025 Sat May 10 08:45:27 EDT 2025 Sun May 11 08:40:41 EDT 2025' (-17239 day(s) remaining). [WARNING] Certificate ****** expires in 'Tue Dec 16 04:25:52 EST 2003 Sat Nov 10 06:45:16 EST 2012' (-17239 day(s) remaining). [WARNING] Certificate ***** expires in 'Mon Dec 30 19:00:00 EST 2024' (-17239 day(s) remaining). [WARNING] Certificate ***** expires in 'Thu Apr 19 03:02:54 EDT 2035' (-17239 day(s) remaining)." – Crypto Mar 15 '17 at 22:55
  • With a little more manipulation I get whats below ./checkCertificate: line 45: [: 1489713745: unary operator expected [CRITICAL] Certificate *** has already expired. usage: date [-jnRu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ... [-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format] ./checkCertificate: line 45: [: 1489713745: unary operator expected [CRITICAL] Certificate *** has already expired. Finished... – Crypto Mar 16 '17 at 01:25
  • Two things in response. 1. You need to correct the unary operator expected error. You will want to read through this question [http://stackoverflow.com/questions/408975/compare-integer-in-bash-unary-operator-expected](http://stackoverflow.com/questions/408975/compare-integer-in-bash-unary-operator-expected). 2. The message "already expired" does not exist in the example script and you have not provided your script so I can't give you an idea about what is causing the problems. – user5870571 Mar 16 '17 at 13:05