--- /dev/null
+#! /bin/sh -e
+
+conf=/etc/ca/check-x509-certs.conf
+time=$(( 7 * 86400 ))
+usage="usage: $0 [-c CONF] [-d DAYS] [-s SECS]"
+
+while getopts c:d:s: opt; do
+ case "$opt" in
+ c) conf=$OPTARG ;;
+ d) time=$(( $OPTARG * 86400 )) ;;
+ s) time=$OPTARG ;;
+ *) echo >&2 "$usage"; exit 1 ;;
+ esac
+done
+shift $(( $OPTIND - 1 ))
+case $# in 0) ;; *) echo >&2 "$usage"; exit 1 ;; esac
+
+if [ ! -f $conf ]; then exit 0; fi
+
+any=nil
+while read line; do
+ case "$line" in "" | "#"*) continue ;; esac
+ file=$line
+ if openssl x509 -in "$file" -noout -checkend $time; then
+ continue
+ fi
+ if openssl x509 -in "$file" -noout -checkend 0; then
+ state="expires soon"
+ else
+ state="ALREADY EXPIRED!"
+ fi
+ case $any in nil) any=t ;; t) echo ;; esac
+ echo "$file: $state"
+ openssl x509 -in "$file" -noout -issuer -dates
+done <"$conf"