Why I Wrote a Certificate Health Script

I don’t want to discover expired certificates only when things are already broken and logs scream tls: expired certificate.

So I wrote a small script to:

  • walk through relevant directories on my VPS,
  • read all .crt / .pem / .cer files,
  • and print:
  • notBefore,
  • notAfter,
  • a status (VALID, EXPIRES_SOON, EXPIRED).

This script is small, but it changes how I feel about my PKI: less guessing, more visibility.

What the Script Checks

It looks under:

  • /root/vault/offline-root (root CAs),
  • /root/vault/ca (intermediate CAs),
  • /root/vault/tls-admin (admin client certs),
  • and optionally /home/*/tls-* (service certs per user).

For each certificate it prints something like:

FILE                                                             NOT AFTER                 STATUS
/root/vault/tls-admin/test/admin.crt                             Dec  2 22:19:02 2025 GMT EXPIRED
/root/vault/ca/test-ca.pem                                       Sep 23 09:22:38 2030 GMT VALID

This tells me quickly what is broken and what is still safe.

What I Want Next

The next step is to:

  • run this script on a timer (cron or systemd),
  • send myself a warning if anything is in EXPIRES_SOON,
  • and integrate this into my overall Vault/infra runbooks.