cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

SSL Cert Expiration Date Monitor/Alert

Trying to find a way to monitor on an approaching SSL cert expiration date.  These are mostly on Linux boxes running Net-SNMP and where APM  can not ssh to due to a private key exchange requirement.   Any ideas would be greatly appreciated.

0 Kudos
30 Replies
Product Manager
Product Manager

Is this for web server certificates?

0 Kudos

The solutions I mentioned above can monitor web server certificates. They can also monitor certificates used to protect other protocols with SSL/TLS such as smtps, pop3s, ldaps etc. 

0 Kudos

There are a number of solutions available for monitoring SSL certificates for expiration. There are scripts that call openssl to grab the cert, parse it, and email out alerts as required. For example this one:

    SSLCheck 

There are also dedicated tools that will discover the certs deployed on a network, inventory them, monitor them and send out expiry alerts. For example:

    SSL Certificate Expiry Monitor

There are also solutions that support automatic certificate renewal and installation; such as the Certificate Lifecycle Manager from Trustwave.

   Certificate Lifecycle Manager

However, now the APM supports SSL expiration monitoring, that is probably going to be the best solution for you.

0 Kudos
Level 8

SSL Cert expire uploaded to APM content, it uses Powershell script to call built in .Net functionality on a Windows box, you can assign the monitor to any windows server with powershell installed (already added in Windows 2008), where the template/monitor is assigned is irrelevant as the script argument (URL) is where it will check . I added the monitor to Orion server so the Powershell Script runs locally!

re.

Dale

0 Kudos

Hi,

Excuse my ignorance but surely if you can get a script in nagios that can query any webpage and determine the expiry date on the certificate shouldnt this be achievable within Solarwinds APM without having dependances on external servers or the target web servers meeting some requirements.

I am keen to understand why this is so complex and also why no development from SW has been put in to make this achievable.

Miron

0 Kudos

Hi Miron

 

Let me eloborate to my expierence on this, firstly we Have Nagios and Solarwinds at our disposal, Nagios utilises ab open source plugin in order to facilitate this. Due to the lack of out of the box functionality for APM i followed this approach and utilised openssl windows instalablwe on the Orion servert then used VBS monitor script to parse and report.

I felt this was somewhat untidy and installed Powershell on the Orion server, from this I was able to use the Powershell monitor to make calls to the underlying functionality that is bulit in into Powershell as it exposes some libraries that can perform the functionality of the OpenSSL that was previously requitred.

On the surface it appears that I am substituting one add-in for another, but Powershell is part the OS in Windows 2008 and only an add in for 2003 which I use.

I agree with you on that this should be out of the box functionality, but I imagine if that a relience was on a third party open source plugin to achieve the result then bundling with Orion would breach some GPL license, however there  is no reason to take the Powershell monitor that I have made availible in APM forum, which wuill easiliy convert to c# then compiled into dll and distributed with the product, and I would welcome some response on Solarwinds official posiiotn on this!

 

re.

Dale

0 Kudos

Dale,

 

Can I just confirm if I understand correctly which is where I may have misunderstood.

Following your approach does this require any further work to be done to a web server in order to monitor the age of its certificates. By web server i mean any web server hosting SSL pages that that you wish to monitor either controlled by you or an external party.

 

Kind Regards

Miron

0 Kudos

Miron

 

All that is required is to have Powershell installed on the Orion server, if this is a Windows 2008 then its already there and you can monitor any web server with a certificate.

Where it may be confusing is the monitor does not need to be assigned to the server that has the certificate, it can point at anything as you pass the URL as the Script argument and this is where the checking occurs.

I monitor many Ecommerce sites of my company that have SSL and what I did was to create an application template called "SSL Certificates" with the powershell monitor * 10 added the same script to each monitor, renamed each one as the  "SSL - <FQDN> and specified the same FQDN as the Script argument, the warning and critical thresholds are the days to the certificate expire

0 Kudos



Hi,

Excuse my ignorance but surely if you can get a script in nagios that can query any webpage and determine the expiry date on the certificate shouldnt this be achievable within Solarwinds APM without having dependances on external servers or the target web servers meeting some requirements.

I am keen to understand why this is so complex and also why no development from SW has been put in to make this achievable.

Miron



The way you do it with Nagios is the exact same way you do it with SolarWinds.  The choice of programming language is about the only difference.  Not sure what dependancies on external servers or requirements you're referring to?

Andy.

0 Kudos

SW,

 

Do you have any response to my previous comment?

 

Miron

0 Kudos
Level 8

I have added a template for SSL exipe check to the APM content, unlike the previoussolution I posted which uses VB script and an externalexecutable, this one uses Powershell which can make use of some built in .Net library to chieve the desired result in a cleaner way!

0 Kudos
Level 8

I have uploaded a vbscript that relies on openssl being installed on Orion server to check for expiration, may not be the solution you are looking for but at least you don't have to change your firewall to let ssh through to the Linux boxes on thwack here http://bit.ly/dK8tCU

 

re.

Dale

0 Kudos
Level 13

Orion APM doesn't have a monitor  that returns the number of days before an SSL cert expires as a statistic. Someone would have to write a script that would put that number somewhere APM could access it.

Consider instead implementing these known expiration dates and system names as reminders in Microsoft Outlook or some similar calendar program. 

0 Kudos

Script written and posted as embedded in APM template posted on thwack http://bit.ly/dK8tCU relies on a openssl being on Orion server

 

re.

Dale

0 Kudos

I have been able to get your script to pull results for one site.  Can multple arguments be used on one monitor.  I have serveal different certs on serveral different servers that I need to monitor.  what would the syntax be if so?

Thanks

0 Kudos

Hi Troy

 

There is no way to have multiple arguments on one monitor, however just copy the script to a new monitor and change the file to the temporary location were the cert is stored, I have the same and use c:\temp\cert1;c:\temp\cert2;c:\temp\cert3.

In this way you can have different warning days for each certtificate.

 

re.Dale

0 Kudos

Dale,

Just got around to installing Open SSL and started testing your cert script check.  So far so good.  Great job.  Thanks

Ralph

0 Kudos

Quick Question.

 

I believe in the test you guys are performing, your date format is in the United Kingdom. When I use the same test, i am getting a different date. How can I modify the script to a U.S date format? (MON\DD\YYYY)

0 Kudos

I recommend you use the SSL Expiration monitor now built into APM. You can find more information regarding it in this Thwack thread.

0 Kudos

Ralph,

Would you 'Verify' Dale's answer when you feel confident. I'm sure it would be appreciated by all to know you kicked the tires.

Dale,

Great job.

 

Thanks,

Michael

0 Kudos