Man pages sections > man1 > check_ssl_cert

check_ssl_cert - checks the validity of X.509 certificates

check_ssl_cert(1) USER COMMANDS check_ssl_cert(1)


check_ssl_cert - checks the validity of X.509 certificates


check_ssl_cert -H host [OPTIONS]


check_ssl_cert A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity


-H,--host host


ignore authority warnings (expiration only)
matches the pattern specified in -n with alternate names too
-C,--clientcert path
use client certificate to authenticate
--clientpass phrase
set passphrase for client certificate.
-c,--critical days
minimum number of days a certificate has to be valid to issue a critical status
produces debugging output
cipher selection: force ECDSA authentication
-e,--email address
pattern to match the email address contained in the certificate
-f,--file file
local file path (works with -H localhost only)
--file-bin path
path of the file binary to be used"
this help message
ignore expiration date
do not check if the certificate was signed with SHA1 or MD5
do not check revocation with OCSP
-i,--issuer issuer
pattern to match the issuer of the certificate
-L,--check-ssl-labs grade
SSL Labs assestment (please check
Forces a new check by SSL Labs (see -L)
--long-output list
append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines. Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.
-n,---cn name
pattern to match the CN of the certificate (can be specified multiple times)
disable SSL version 2
disable SSL version 3
disable TLS version 1
disable TLS version 1.1
disable TLS version 1.2
match CN with the host name
-o,--org org
pattern to match the organization of the certificate
--openssl path
path of the openssl binary to be used
-p,--port port
TCP port
-P,--protocol protocol
use the specific protocol: http (default), irc or smtp,pop3,imap,ftp (switch to TLS)
allows self-signed certificates
--serial serialnum
pattern to match the serial number
force SSL version 2
force SSL version 3
-r,--rootcert cert
root certificate or directory to be used for certficate validation (passed to openssl's -CAfile or -CApath)
cipher selection: force RSA authentication
seconds timeout after the specified time (defaults to 15 seconds)
--temp dir
directory where to store the temporary files
force TLS version 1
verbose output
-w,--warning days
minimum number of days a certificate has to be valid to issue a warning status


-d,--days days
minimum number of days a certificate has to be valid (see --critical and --warning)
check revocation via OCSP
-S,--ssl version
force SSL version (2,3) (see: --ss2 or --ssl3)


If the host has multiple certificates and the installed openssl version supports the -servername option it is possible to specify the TLS SNI (Server Name Idetificator) with the -N (or --host-cn) option.


x509(1), openssl(1), expect(1), timeout(1)


check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems


Please report bugs to: Matteo Corti (matteo (at) )


Matteo Corti (matteo (at) ) See the AUTHORS file for the complete list of contributors
December, 2016 1.37.0