#! /bin/sh -e

conf=/etc/ca/check-x509-certs.conf
time=$(( 7 * 86400 ))
usage="usage: $0 [-c CONF] [-d DAYS] [-s SECS]"

while getopts c:d:s: opt; do
  case "$opt" in
    c) conf=$OPTARG ;;
    d) time=$(( $OPTARG * 86400 )) ;;
    s) time=$OPTARG ;;
    *) echo >&2 "$usage"; exit 1 ;;
  esac
done
shift $(( $OPTIND - 1 ))
case $# in 0) ;; *) echo >&2 "$usage"; exit 1 ;; esac

if [ ! -f $conf ]; then exit 0; fi

any=nil
while read line; do
  case "$line" in "" | "#"*) continue ;; esac
  file=$line
  if openssl x509 -in "$file" -noout -checkend $time; then
    continue
  fi
  if openssl x509 -in "$file" -noout -checkend 0; then
    state="expires soon"
  else
    state="ALREADY EXPIRED!"
  fi
  case $any in nil) any=t ;; t) echo ;; esac
  echo "$file: $state"
  openssl x509 -in "$file" -noout -issuer -dates
done <"$conf"