step certificate needs-renewal -- Check if a certificate needs to be renewed
step certificate needs-renewal <cert-file or hostname>
[--expires-in=<percent|duration>] [--roots=<root-bundle>] [--servername=<servername>]
step certificate needs-renewal returns '0' if the certificate needs
to be renewed based on it's remaining lifetime. Returns '1' the certificate is
within it's validity lifetime bounds and does not need to be renewed. Returns
'255' for any other error. By default, a certificate "needs renewal" when it has
passed 66% (default threshold) of it's allotted lifetime. This threshold can be
adjusted using the '--expires-in' flag.
cert-file or hostname
The path to a certificate OR a hostname with protocol prefix.
Check if the certificate expires within the given time window
using percent|duration. If using percent, the input must be followed by a "%"
character. If using duration, the input must be a sequence of decimal numbers,
each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Root certificate(s) that will be used to verify the
authenticity of the remote server.
roots is a case-sensitive string and may be one of:
file: Relative or full path to a file. All certificates in the file will be used for path validation.
list of files: Comma-separated list of relative or full file paths. Every PEM encoded certificate from each file will be used for path validation.
directory: Relative or full path to a directory. Every PEM encoded certificate from each file in the directory will be used for path validation.
TLS Server Name Indication that should be sent to request a specific certificate from the server.
This command returns '0' if the X509 certificate needs renewal, '1' if the
X509 certificate does not need renewal, '2' if the X509 certificate file does not
exist, and '255' for any other error.
Check if certificate.crt has passed 66 percent of its validity period: