vault-ops/infra/versions/check_vault_certs-v1.0.sh

#!/usr/bin/env bash
set -euo pipefail

# Standard-Basisverzeichnis – kann per Argument überschrieben werden
BASE_DIR="${1:-/root/vault}"

if [ ! -d "$BASE_DIR" ]; then
  echo "Base directory '$BASE_DIR' does not exist." >&2
  exit 1
fi

echo "Scanning certificates under: $BASE_DIR"
echo

# Header
printf "%-70s %-24s %-24s %-12s %s\n" "FILE" "NOT BEFORE" "NOT AFTER" "STATUS" "SUBJECT CN/NAME"
printf "%0.s-" $(seq 1 140)
echo

NOW_EPOCH=$(date +%s)
SOON_DAYS=30
SOON_SEC=$((SOON_DAYS * 24 * 60 * 60))

# find alle Zertifikats-Dateien
while IFS= read -r -d '' f; do
  # Versuche, das als Zertifikat zu interpretieren
  if ! info=$(openssl x509 -in "$f" -noout -dates 2>/dev/null); then
    # keine Zertifikats-Datei (z.B. Key) -> überspringen
    continue
  fi

  notBefore=$(echo "$info" | sed -n 's/^notBefore=//p')
  notAfter=$(echo "$info"  | sed -n 's/^notAfter=//p')

  # Epochenzeiten bestimmen
  end_epoch=$(date -d "$notAfter" +%s 2>/dev/null || echo "")
  start_epoch=$(date -d "$notBefore" +%s 2>/dev/null || echo "")

  status="UNKNOWN"

  if [ -n "$end_epoch" ]; then
    if [ "$end_epoch" -lt "$NOW_EPOCH" ]; then
      status="EXPIRED"
    else
      remaining=$((end_epoch - NOW_EPOCH))
      if [ "$remaining" -le "$SOON_SEC" ]; then
        status="EXPIRES_SOON"
      else
        status="VALID"
      fi
    fi
  fi

  # Subject / CN ermitteln
  subject=$(openssl x509 -in "$f" -noout -subject 2>/dev/null | sed 's/^subject=//')
  # Versuche, CN rauszuziehen – wenn das nicht klappt, den kompletten Subject anzeigen
  cn=$(echo "$subject" | sed -n 's/.*CN *= *\([^,\/][^,\/]*\).*/\1/p')
  if [ -z "$cn" ]; then
    cn="$subject"
  fi

  # Ausgabe kürzen, falls Pfad sehr lang
  short_file="$f"
  if [ "${#short_file}" -gt 68 ]; then
    short_file="...${short_file: -65}"
  fi

  printf "%-70s %-24s %-24s %-12s %s\n" \
    "$short_file" "$notBefore" "$notAfter" "$status" "$cn"

done < <(find "$BASE_DIR" -type f \( -name '*.crt' -o -name '*.pem' -o -name '*.cer' \) -print0)