NaviServer Built-in Commands – 5.1.0
ns_certctl - ADP control command
This command is used for managing (server) certificates loaded into NaviServer.
Return information about an X.509 certificate.
The argument cert specifies the certificate and can be either:
the name of a file containing a PEM-encoded certificate, or
a string containing the PEM-encoded certificate itself.
The command returns a Tcl dictionary with information extracted from the certificate. The returned fields include:
Textual representation of the certificate subject distinguished name.
Textual representation of the issuer distinguished name.
Serial number of the certificate (hex-encoded).
Start of the certificate validity period.
End of the certificate validity period.
SHA-256 fingerprint of the certificate (hex-encoded).
Dictionary containing subjectAltName entries, when present. Possible keys include:
dns - list of DNS names
email - list of email addresses
uri - list of URIs (e.g., SPIFFE IDs)
ip - list of IP addresses
The values of notbefore and notafter are formatted using OpenSSL and can be parsed via Tcl's clock scan.
set info [ns_certctl info /path/to/cert.pem]
set days [expr {
([clock scan [dict get $info notafter]] - [clock seconds]) / 86400.0
}]
In contrast to ns_conn clientcert, this command operates on static certificate data and does not include connection-specific fields such as present or verified.
List the loaded certificates and their expiry dates.
Reload the used certificates from the disk. This is e.g. needed, when expired certificates are renewed and should be loaded into a running NaviServer instance.