Monitoring (intermediate) cert expiry date


I am currently familiarizing myself with Vault. Certificates are later generated or signed there by several intermediate CAs.

To monitor the expiry date, I am currently calling up the serial numbers of all certificates (/ v1 / pki / certs), reading them out in a loop ( /v1/pki/cert/ff-ff-ff…), converting the X509 to text with the help of openssl and then looking for “NotAfter”.
Is there an easier way?
And: How can I monitor the expiry date of the intermediate certificate?

Grateful for any advice

1 Like

I’m also curious about this. Because I’m already using Telegraf as part of my telemetry monitoring of Vault and Consul, I’m thinking about going down this route:

Moin, thanks for your answer.

I can see: Telegraf monitoring is interesting. With us, it is difficult to monitor the services of (internal) customers. Hence my approach to monitor the expiry date in vault myself - because I can be sure that these, and only these, certificates are productive somewhere and have to be replaced if necessary.

This has been resolved for the server certificates, but not yet for the intermediate certificates

echo -e $(curl --request GET --insecure https://vault.local/v1/pki/cert/ff-ff-ff-ff..... | jq .data.certificate | sed -e 's/^"//' -e 's/"$//') | openssl x509 -text -noout | grep "Not After" | sed s/"Not After : "// | date -d - +%s 2> /dev/null does not help with such questions :frowning:

Ah, I see. That method should work for all certificates stored in Vault, though, shouldn’t it? Is it maybe a path issue you’re facing? For example, I can’t check my intermediate CA’s certificate on the same path that I use to check all the certificates that it signs: all those certificates are at:


While my intermediate CA’s certificate, which was signed by my root CA, is at:



Bummer, I get an error back.
According to I generated a Root CA and an Intermediate CA (Step 1-4 and Step 1-5).
Now I should have an CA and it’s intermediate.
It is possible to list it:

[root@vault ~]# curl --header "X-Vault-Token: s.****************" --request LIST --cacert /opt/vault/tls/vault_ca.pem | jq  
  "request_id": "a49b5e20-84ee-d84f-bd49-ee71e0a783b1",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
  "wrap_info": null,
  "warnings": null,
  "auth": null

But when I try to read is it is something different:
[root@vault ~]# curl --header “X-Vault-Token: s.*******” --request GET --cacert /opt/vault/tls/vault_ca.pem | jq .data.certificate | openssl x509 -text -noout

unable to load certificate
139621279737744:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

I am sure to signed the request. I am in a lost.

Actually, I think you’ve almost got it there; to confirm, what’s sent to stdout when you take off that last command? So, the output of your jq command?

Isn’t it something like this?


And so it’ll work if you use the raw (-r) flag, won’t it? As in:

... | jq -r .data.certificate | openssl...

Or maybe I’m missing something.

1 Like

Oh dear, was it really that easy? The -r switch does everything I need. So far I had used a complicated echo -e and sed -e ‘s / ^ "//’ -e ‘s /" $ //’ - but forgot this. With jq -r it’s a lot easier … I’m one step further!

1 Like