I was curious how everyone sets up the SSL Certificate Expiration template in their environment. Do you add the URL as a node or do you set it up as an external node?
There are a few ways to do this some prefer more than others but each company is different.
Looking for unknowns?
If its Windows use custom powershell to pull that information out of the cert store on the server monitoring. The 2nd piece of this is tie it into the application monitor. For IIS, App Insight is awesome.
CA
Certificate Monitor
Web Service SSL
SSL Certificate Expiration Date Monitor
I use the SSL Certificate Expiration Date Monitor and HTTPS Monitor grouped together as a "SSL Applications" app in SAM. Alerts are also built off the data these monitors pull back.
I'd like to write a report that runs monthly, however I think that's going to take a SQL report to accomplish and haven't gotten there yet.
The only issue I have with Appinsight IIS is you cant create a Certificate expiration trigger off the IIS SSL component. If you can, please someone show us...
SCOM does it brilliantly. I can export Excel sheets of all of my certificates and their expiration dates (PMs love this), and I get alerts 7 days out when they're about to expire. I took out server names in the screenshot. I don't know how people live without this feature. My SolarWinds clients beg for this, maybe someday we will have it in Solar. So crystal clean in SCOM...
I set up a recurring report on ssl certificates. I used the one out of the box, but changed it to sort on days left so the shortest days left is presented at the top. I set this weekly to run and to go to the people who work on SSL certs. The trigger is the report schedule.
*edit* Not sure how this thread bubbled back up to the top of my browse so far after the fact. At the time it was written SCM wasn't around, but this answer is still valid from this summer forward...
With the way SAM monitors are set up its pretty hard to recreate that effect, but its almost trivially easy to do it in SCM. I just whipped this Powershell up with ~5 min of googling that could be used there to get a list of all localmachine certs expiring in the next 90 days and then we just report or alert on it however we need to.
$later = [DateTime]::UtcNow.AddDays(90)
$certs = Get-ChildItem Cert:\localmachine -Recurse | where-object -Property Notafter -ne $null | where-object -Property Notafter -lt $later
$certs | Format-List -Property psparentpath, FriendlyName, NotAfter, Subject, Issuer | Format-Table
As a SAM component I would need to manipulate this list to get a count of them and try to turn the names into a giant concatted string that would get pretty painful fast, but SAM components are not really built around getting lists of things, its more focused on "check this one thing and tell me if its good or not."
An easier approach for bulk SSL certificate remote monitoring is available at https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/
Bulk SSL certificate remote monitoring is available at https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/
There are some very good and easy solution which are available at no cost. For example have a look at https://zeglory.com/ssl-monitoring-using-scom-with-powershell-and-dot-net-net-sealed-mp/
