Check xca-cert


If you are using XCA by Christian Hohnstädt (an application that is intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smart-cards and CRLs) with „Remote Databases“ feature enabled, this plugin lets you check the expiration date of any certificate within those XCA MySQL/MariaDB databases. CRLs are also taken into account.


Fact Sheet

Check Plugin Download

Check Interval Recommendation

Once a day

Can be called without parameters


Compiled for



User with SELECT privileges on the XCA database, locked down to - for example monitoring\@ Usernames in MySQL/MariaDB are limited to 16 chars in specific versions.

3rd Party Python modules



usage: xca-cert [-h] [-V] [-c CRIT] [--defaults-file DEFAULTS_FILE]
                [--defaults-group DEFAULTS_GROUP] [--prefix PREFIX]
                [--timeout TIMEOUT] [-w WARN]

Checks expiration date of certificates in a XCA based MySQL/MariaDB database.

  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  -c CRIT, --critical CRIT
                        Set the critical for the expiration date in days.
                        Default: 5
  --defaults-file DEFAULTS_FILE
                        Specifies a cnf file to read parameters like user,
                        host and password from (instead of specifying them on
                        the command line), for example
                        `/var/spool/icinga2/.my.cnf`. Default:
  --defaults-group DEFAULTS_GROUP
                        Group/section to read from in the cnf file. Default:
  --prefix PREFIX       Set the table prefix of the XCA database.
  --timeout TIMEOUT     Network timeout in seconds. Default: 3 (seconds)
  -w WARN, --warning WARN
                        Set the warning for the expiration date in days.
                        Default: 14

Usage Examples

./xca-cert --prefix xca_prefix_ --warning 14 --critical 5


39 Certificates and 1 CRL checked.

commonName                 ! CA ! Serial  ! State ! Expiry date
LF Root CA SHA 384         ! y  ! 4F389A7 ! [OK]  ! 2022-03-12 23:59:59
Linuxfabrik App CA SHA 384 ! y  ! 48B7851 ! [OK]  ! 2022-03-12 23:59:59
server1                    ! n  ! 6485ECE ! [OK]  ! 2021-12-01 14:49:00       ! n  ! 19EE889 ! [OK]  ! 2021-12-24 14:56:00       ! n  ! 3C74DEF ! [OK]  ! 2021-12-26 14:58:00

commonName                 ! State ! Expiry date
Linuxfabrik App CA SHA 384 ! [OK]  ! 2023-07-13 07:52:00


  • WARN or CRIT if a certificate expires within a given threshold.

Perfdata / Metrics

There is no perfdata.

Credits, License