The process is to export the certs to crt files in the /tmp directory. Next run a script that scans all crt files for expired certificates, and then revokes all certificates that are expired.
- Create gencerts.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import re
import os
import subprocess
class SearchFunctions( object ):
def __init__( self, rawdatas ):
block_expr = re.findall(b"^-+BEGIN CERTIFICATE-+.*?-+END CERTIFICATE-+\s",rawdatas,re.DOTALL|re.MULTILINE)
self.GetData = block_expr ###### get results
print("-- Done with data parse.")
###### Main function
class dataParse( object ):
def __init__( self, rawdatas ):
count = 1
print("\n-- Running data parse...")
sa = SearchFunctions(rawdatas)
print("-- Begin writing certs to files...")
for i in sa.GetData:
i = i.decode("utf-8")
file_name = 'cert%s.crt' % count
with open(file_name, 'w') as f:
print("- Writing cert to %s" % file_name)
f.write(i)
count = count+1
def main():
usage="use it right"
print("-- Enumerating certs. Counting...")
p = subprocess.check_output(["/usr/lib/vmware-vmca/bin/certool","--enumcert","--filter=all"])
dataParse(p)
if __name__ == "__main__":
main()
- Run ./gencerts.py
- Create Find-expired.sh
#!/bin/bash
CERTFILE=$1
if openssl x509 -checkend 86400 -in $CERTFILE 2> /dev/null | grep -q "Certificate will not expire"
then
echo "$CERTFILE is still valid. Skipping..."
elif openssl x509 -checkend 86400 -in $CERTFILE 2> /dev/null | grep -q "Certificate will expire"
then
echo -e "\nCertificate is expired! Adding $CERTFILE to expiredcerts.txt...\n"
echo "$CERTFILE" >> expiredcerts.txt
else
echo -e "\nthere was a problem checking the cert. ignoring $CERTFILE.\n"
fi
- Run "for i in $(ls cert*.crt); do ./find-expired.sh $i ; done"
- Run "for i in $(cat expiredcerts.txt); do /usr/lib/vmware-vmca/bin/certool --revokecert --cert /tmp/$i ;done"
- Validate the certificates are all revoked, then delete the snapshot you created.