Check xca-cert


If you are using XCA by Christian Hohnstädt (an application that is intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smart-cards and CRLs) with „Remote Databases“ feature enabled, this plugin lets you check the expiration date of any certificate within those XCA MySQL/MariaDB databases. CRLs are also taken into account.


  • This check works with MySQL/MariaDB backend only, although XCA is supporting PostgreSQL as well.

  • We recommend to run this check directly on your database host.

Fact Sheet

Check Plugin Download

Check Interval Recommendation

Once a day

Can be called without parameters


Available for

Python 2, Python 3


Python module mysql.connector; User with SELECT privileges on the XCA database, locked down to - for example mon-xca@ Usernames in MySQL/MariaDB are limited to 16 chars in specific versions.


usage: xca-cert [-h] [-V] [-c CRIT] [--database DATABASE] [-H HOSTNAME]
                [-p PASSWORD] [--prefix PREFIX] [-u USERNAME] [-w WARN]

Checks expiration date of certificates in a XCA based MySQL/MariaDB database.

optional arguments:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  -c CRIT, --critical CRIT
                        Set the critical for the expiration date in days.
                        Default: 5
  --database DATABASE   Set the MySQL database running the XCA database.
                        Default: xca
  -H HOSTNAME, --hostname HOSTNAME
                        Set the hostname of the MySQL server running the XCA
                        database. Default: localhost
  -p PASSWORD, --password PASSWORD
                        Set the password for the MySQL server running the XCA
                        database. Default:
  --prefix PREFIX       Set the table prefix of the XCA database.
  -u USERNAME, --username USERNAME
                        Set the username for the MySQL server running the XCA
                        database. Default: root
  -w WARN, --warning WARN
                        Set the warning for the expiration date in days.
                        Default: 14

Usage Examples

./xca-cert --hostname localhost --database xca --username dbuser --password dbpass --prefix xca_prefix_ --warning 14 --critical 5


39 Certificates and 1 CRL checked.

commonName                 ! CA ! Serial  ! State ! Expiry date
LF Root CA SHA 384         ! y  ! 4F389A7 ! [OK]  ! 2022-03-12 23:59:59
Linuxfabrik App CA SHA 384 ! y  ! 48B7851 ! [OK]  ! 2022-03-12 23:59:59
server1                    ! n  ! 6485ECE ! [OK]  ! 2021-12-01 14:49:00       ! n  ! 19EE889 ! [OK]  ! 2021-12-24 14:56:00       ! n  ! 3C74DEF ! [OK]  ! 2021-12-26 14:58:00

commonName                 ! State ! Expiry date
Linuxfabrik App CA SHA 384 ! [OK]  ! 2023-07-13 07:52:00


  • WARN or CRIT if a certificate expires within a given threshold.

Perfdata / Metrics

There is no perfdata.

Credits, License