Tool

The script will report if a certificate is expired, if it expires today, or if it will expire within a month.

I use Net::LDAP and Date::Manip in the perl script. The corresponding packages on SLES are:

• perl
• perl-DateManip
• perl-ldap

The options needed for the script to run are:

checkcerts.pl LDAP-IP-or-DNS-name Bind-DN Bind-password

Example:

checkcerts.pl 10.20.30.40 cn=admin,o=novell novell

The user that is used for this script only needs to have the following rights:

Entry: Browse, Inherit (for the entire tree)
Attribute: ObjectClass & ndspkinotafter - Read, Compare, Inherit

The easiest way to use this script would be to create a cron job on one server that runs once a week.

An example for the script results to be emailed to idmadmins:

/usr/local/bin/certreport.pl 10.20.30.40 cn=admin,o=novell password | nail -s "Certificate Expiration Report for `date -I`" -r certreport@mydomain.com idmadmins@mydomain.com

You would need to create a job for each tree you want to monitor.

The following example would run against the 10.20.30.40 tree at 1:00AM every Saturday:

0 1 * * 6  /usr/local/bin/certreport.pl 10.20.30.40 cn=admin,o=novell password | nail -s "Certificate Expiration Report for `date -I`" -r certreport@mydomain.com idmadmins@mydomain.com