check_ssl_cert -H host [OPTIONS]


check_ssl_cert A Nagios plugin to check an X.509 certificate: - checks if the server is running and delivers a valid certificate - checks if the CA matches a given pattern - checks the validity


-H,--host host




ignore authority warnings (expiration only)


matches the pattern specified in -n with alternate names too

-C,--clientcert path

use client certificate to authenticate

--clientpass phrase

set passphrase for client certificate.

-c,--critical days

minimum number of days a certificate has to be valid to issue a critical status

-e,--email address

pattern to match the email address contained in the certificate

-f,--file file

local file path (works with -H localhost only)


this help message

--long-output list

append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines. Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.

-i,--issuer issuer

pattern to match the issuer of the certificate

-n,---cn name

pattern to match the CN of the certificate


match CN with the host name

-o,--org org

pattern to match the organization of the certificate

--openssl path

path of the openssl binary to be used

-p,--port port

TCP port

-P,--protocol protocol

use the specific protocol: http (default) or smtp,pop3,imap,ftp (switch to TLS)


allows self-signed certificates

-S,--ssl version

force SSL version (2,3)

-r,--rootcert cert

root certificate or directory to be used for certficate validation (passed to openssl's -CAfile or -CApath)


seconds timeout after the specified time (defaults to 15 seconds)

--temp dir

directory where to store the temporary files


force TLS version 1


verbose output



-w,--warning days

minimum number of days a certificate has to be valid to issue a warning status


-d,--days days

minimum number of days a certificate has to be valid (see --critical and --warning)

RELATED TO check_ssl_cert…

x509(1), openssl(1), expect(1), timeout(1)


check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems


Please report bugs to: Matteo Corti (matteo.corti (at)


Matteo Corti (matteo.corti (at) See the AUTHORS file for the complete list of contributors