0

In our environment, the OSX login keychain contains multiple certificates with the same name (the enduser account name). I want to loop through these certs and capture the expiration dates.

I created an array in bash using the security command (including the -a argument for finding all instances) for finding the cert and piping it to the openssl command for finding the expiration date. But the array only returns the expiration date of the first certificate, and none of the others.

array=( `/usr/bin/security find-certificate -a -c $user -p -Z       /Users/$user/Library/Keychains/login.keychain | /usr/bin/openssl x509 -noout -enddate | cut -f2 -d= | tr ' ' '-'` );

for i in ${array[@]}
do 
echo "$user has an expiration date of $i."
done
xian
  • 17
  • 2
  • `openssl x509` is only analyzing the first cert; I think you need to split them and run `openssl x509` on each one separately. – Gordon Davisson Jun 02 '19 at 04:22
  • Thanks Gordon. Since the certs all have the same name, how would I split them? – xian Jun 02 '19 at 04:45
  • I think you'll have to do something like write small parser that breaks it up by the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Which is a hassle, but I don't know a way around it. – Gordon Davisson Jun 02 '19 at 06:09

1 Answers1

1

Try this:

/usr/bin/security find-certificate -a -c $user -p > /tmp/certs.pem
while read line; do
    if [[ "$line" == *"--BEGIN"* ]]; then
        cert=$line
    else
        cert="$cert"$'\n'"$line"
        if [[ "$line" == *"--END"* ]]; then
            echo "$cert" > /tmp/checkcert.pem
            rawExp=$(openssl x509 -noout -enddate -in /tmp/checkcert.pem | cut -d= -f 2)
            echo "$user has an expiration date of $rawExp."
        fi
    fi
done < /tmp/certs.pem
AbsterT
  • 173
  • 4