Automating Certificate Expiration Management with Jenkins and Python

Certificate expiration management is a critical aspect of maintaining a secure and reliable IT infrastructure. However, it can be a time-consuming and error-prone task, especially when dealing with multiple certificates across different domains and systems. In this blog post, we will explore how to automate certificate expiration management using Jenkins and Python.

Why Use Jenkins for Certificate Expiration Management?

Jenkins is an open-source automation tool that excels at enabling engineers to automatically execute and test code. However, it has a hidden superpower: automating boring and intensive IT tasks, such as certificate expiration management. By using Jenkins to manage certificate expiration, we can save time and reduce the risk of human error.

Python is an excellent choice for certificate expiration management due to its simplicity and flexibility. Python’s dynamic typing makes it easy to map out the data types we need, and its vast array of libraries and tools allows us to easily interact with files and I/O.

How to Automate Certificate Expiration Management with Jenkins and Python

To get started, we will need to create an inventory file that contains the necessary information about our certificates. We can use a simple JSON format to store the data, such as:

“`json

[

{

“fqdn”: “vcenter.engyak.co”,

“port”: 443

},

{

“fqdn”: “nsx.engyak.co”,

“port”: 443

}

]

“`

Next, we will need to write a Python script that can retrieve the expiration dates of our certificates and send an email notification if any certificates are near expiration or have already expired. Here is an example script:

“`python

import datetime

import json

from email.mime.text import MIMEText

# Define the inventory file path

inventory_file = ‘path/to/inventory.json’

# Load the inventory file into a JSON object

with open(inventory_file, ‘r’) as f:

inventory = json.load(f)

# Define the SMTP server settings

smtp_server = ‘smtp.example.com’

smtp_port = 25

smtp_auth = (‘username’, ‘password’)

# Define the email recipient and subject

recipient = ‘expiration@example.com’

subject = ‘Certificate Expiration Notification’

# Iterate over the inventory and retrieve the expiration dates

for item in inventory:

fqdn = item[‘fqdn’]

port = item[‘port’]

cert_path = f”{fqdn}:{port}”

expiration_date = get_expiration_date(cert_path)

if expiration_date < datetime.date.today():

# Send an email notification if the certificate has expired

send_email(recipient, subject, f”Certificate {fqdn}:{port} has expired”)

elif expiration_date <= datetime.date.today() + datetime.timedelta(days=7):

# Send an email notification if the certificate is near expiration

send_email(recipient, subject, f”Certificate {fqdn}:{port} is near expiration”)

def get_expiration_date(cert_path):

# Use OpenSSL to retrieve the expiration date

output = subprocess.check_output([‘openssl’, ‘x509’, ‘-noout’, ‘-text’, cert_path])

expiration_line = re.search(r’Expires:\s+(\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2})’, output).group(1)

expiration_date = datetime.datetime.strptime(expiration_line, ‘%m/%d/%Y %H:%M:%S’)

return expiration_date

def send_email(recipient, subject, message):

# Use Python’s built-in email library to send an email

message = MIMEText(message)

message[‘Subject’] = subject

message[‘From’] = ‘certificate-expiration@example.com’

message[‘To’] = recipient

server = smtplib.SMTP(smtp_server, smtp_port)

server.starttls()

server.login(smtp_auth[0], smtp_auth[1])

server.sendmail(‘certificate-expiration@example.com’, recipient)

server.quit()

“`

To use this script with Jenkins, we will need to create a Jenkins job that runs the script and sends an email notification if any certificates are near expiration or have already expired. We can use the Jenkins built-in email sending feature to send the notifications.

Conclusion

Certificate expiration management is an essential aspect of maintaining a secure and reliable IT infrastructure. By using Jenkins and Python, we can automate this task and save time and reduce the risk of human error. With this script, we can easily retrieve the expiration dates of our certificates and send an email notification if any certificates are near expiration or have already expired.