CERTWATCH(1)                                                      CERTWATCH(1)


       certwatch - generate SSL certificate expiry warnings


       certwatch [OPTION...] filename


       The  certwatch  program  is used to issue warning mail when an SSL cer-
       tificate is about to expire.

       The program has two modes of operation: normal mode and quiet mode.  In
       normal  mode,  the  certificate given by the filename argument is exam-
       ined, and a warning email is issued to standard output if the  certifi-
       cate is outside its validity period, or approaching expiry. If the cer-
       tificate cannot be found, or any errors occur whilst parsing  the  cer-
       tificate, the certificate is ignored and no output is produced. In qui-
       et mode, no output is given, but the exit status can still be used.


       --quiet, -q
              Enable quiet mode; no output is produced whether the certificate
              is expired or not

       --period days, -p days
              Specify  the  number of days within which an expiry warning will
              be produced; default is 30. Expiry warnings are always  produced
              if,  on the day of invocation, the certificate is not yet valid,
              has already expired, or is due to expire either that day or  the
              following day.

       --address address, -a address
              Specify  the  address used in the To field of the warning e-mail
              issued if quiet mode is not enabled. The default is root.


       The exit code indicates the state of the certificate:

       0      The certificate is outside its validity period,  or  approaching

       1      The  certificate  is inside its validity period, or could not be


       The  certwatch  program  is  run  daily  by   crond   from   the   file
       /etc/cron.daily/certwatch to warn about the imminent expiry of SSL cer-
       tificates configured for use in the Apache HTTP  server.  This  warning
       can  be  disabled  by  adding  the  line:  NOCERTWATCH=yes  to the file
       /etc/sysconfig/httpd. Options to pass to certwatch can be specified  in
       that file in the CERTWATCH_OPTS environment variable.





crypto-utils                      April 2005                      CERTWATCH(1)

Man(1) output converted with man2html