check_cert.py

Deterministic TLS Certificate Inspection

check_cert.py is a deterministic TLS certificate inspection tool designed for monitoring systems, automation pipelines, and operators who require reproducible, audit‑transparent certificate metadata.
It retrieves certificate details without relying on OpenSSL verification, ensuring consistent behavior even when certificates are expired, self‑signed, or misconfigured.

Overview

check_cert.py extracts certificate metadata using a deterministic, reproducible inspection pipeline.
It supports expiration checks, SAN enumeration, issuer/subject parsing, and full metadata extraction without depending on system trust stores.
The tool is built around three principles:

1. Determinism — same certificate → same output
2. Reproducibility — metadata extraction works even when verification fails
3. Audit Transparency — all results are explicit, structured, and operator‑friendly

Key Features

1. Deterministic certificate metadata extraction
2. Expiration and remaining‑days reporting
3. Full SAN enumeration (DNS, IP)
4. Issuer and subject parsing
5. Self‑signed and expired certificate handling
6. Reproducible output for monitoring systems

Metadata Extraction

• Common Name (CN)
• Subject Alternative Names (SAN)
• Issuer details
• Validity period (Not Before / Not After)
• Remaining days until expiration
• Serial number and signature algorithm

Deterministic Behavior

• Verification failures never block metadata extraction
• Consistent output regardless of certificate trust state
• Single‑line, operator‑grade log entries
• No hidden state or environment‑dependent behavior

Architecture Overview

1. Connection Layer

Establishes a TLS connection to the target host and retrieves the presented certificate chain.
Timeouts and connection failures return deterministic UNKNOWN/CRITICAL states.

2. Parsing Layer

Converts the certificate into structured Python objects and extracts all relevant metadata.
Parsing is independent of certificate validity or trust.

3. Evaluation Layer

• Expiration threshold checks
• Remaining‑days calculation
• Self‑signed detection
• Metadata completeness validation

4. Output Layer

Produces deterministic, machine‑readable output suitable for Nagios, Icinga, or automation pipelines.
All fields are explicit and reproducible.

Current Status

• Version: 1.0.0
• Edition: Community Edition (public)
• Platform: Linux / Python 3.x
• Dependencies: Standard library + cryptography

Roadmap

Near‑Term

• Chain validation reporting
• OCSP status extraction
• Improved error classification

Mid‑Term

• Full chain traversal and reporting
• Certificate fingerprint comparison
• Enhanced SAN parsing

Long‑Term

• Integration with deterministic renewal pipelines
• Cross‑suite metadata correlation

Why check_cert.py Exists

Traditional certificate checkers often fail when certificates are expired, self‑signed, or misconfigured.
check_cert.py solves this by applying deterministic engineering principles:

1. explicit metadata extraction
2. reproducible output
3. audit‑transparent reporting
4. no reliance on system trust stores

Links

• GitHub Repository
• Documentation
• Usage Examples
• Release Notes

Related Projects

• NMS-Tools
• check_html.py
• check_interfaces.py
• BotScanner