cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

SSL Certificates Monitor |SAM 6.5.0|

Jump to solution

So I'm using SAM 6.5.0 to monitor the SSL certificates deployed at our various servers that includes web servers, exchange servers and other domain servers. I have observed that there are multiple certificates of different applications being deployed on all servers but I'm getting only one SSL certificate for monitoring. I have deployed the monitor and configured the alerts but I am afraid that something might go wrong if I miss any certificate. Can anyone guide me more in this regard specifically monitoring the SSL certificates effectively?


Thank You.

~ Farhood Nishat


Labels (1)
1 Solution
Level 10

Hello farhood

if its the default SSL cert monitor thats built into SAM your talking about then by default it will monitor a certificate thats presented on port 443 (HTTPS) such as https://website.mydomain.co.uk for example.

The description for the monitor is:

This component monitor tests a web server's ability to accept incoming sessions over a secure channel and then test the security certificate's expiration date.

By default, this monitor tests TCP port 443.

More information about this monitor can be found in in the SAM Administrator's Guide.

If you wanted to monitor an IMAP certificate for example which would be on your exchange server you would use the SSL Cert Monitor but amend the port to 993, that way the monitor looks at port 993 to check the certificate expiry.

pastedImage_1.png

Amend the port on the monitor to one you want to monitor.

Does that help?

Regards,

L.

View solution in original post

15 Replies
Level 8

HI every one.

Does this SSL Certificate Monitor require any other port except 443 for fetching data?

I'm trying to use it on AWS EC2 instance but keep getting error "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host." Port is 443 is open, I can telnet it.

Check the port at which your certificate is binded. We gto multiple certificates, I binded one to 444 and changed the port number in SSL monitor to get multiple certificates from a single server.

0 Kudos
Level 9

daveb7114Seashoreleigham martin
Hey!

I have sorted a way out to monitor all the certificates. As by default the SSL Certificate Monitor is fetching data at 443 port. I replicated that SSL Certificate Monitor, changed the port to 444 and bound that same port to the certificate which I want to monitor at server and assigned that duplicated monitor to that server and configured a alert. This is working fine for me. Doing this I am monitoring multiple certificates by assigning different monitors to same server.

Hope this helped.!

Has anyone thought about how to do this beyond just a few certs/websites? Binding all the ports just to make the ssl monitor work is something of a hard sell. I have seen some script monitors and that might be the only way, other than not using SAM.

I created a short script for our environment to check for all local personal certs on each server, grabs the expiry date and does a count from the current day to the expiry date then outputs both the day count to a statistic and the name of the cert to the message so you can use the statistic to create your alerts or set thresholds then add your message to the alert to show the cert name. Its dead simple but has worked flawlessly for the past year or-so since I made it so have never expanded on it. I can upload the template if you or anyone else will find it useful.

Yes please can you share your template ?

0 Kudos

Hey this would be cool. I've proposed that Solarwinds update their cert monitor so that you can NAME what certs you want to monitor and ignore the rest. If you like that, go vote on it!! Meantime, please upload this so that I can check it out. Much appreciated! Dave B

Level 11

I would like this monitor to be enhanced. I've posted an idea here: https://thwack.solarwinds.com/ideas/9214. If you like it please vote on it! Dave Burton

Level 10

I wrote this guy to track all certs on a server, though it doesn't seem to work on Remote Execution, only localhost... perhaps it needs escalation?

$Expired_Certs = Get-ChildItem –RECURSE –Path cert: -ExpiringInDays 0

$Expiring_Soon_Certs = Get-ChildItem –RECURSE –Path cert: -ExpiringInDays 30

$Expiring_Certs = Get-ChildItem –RECURSE –Path cert: -ExpiringInDays 90

"Statistic.Expired: " + $Expired_Certs.Count

$Cert_Item_Text ="Message.Expired: "

Foreach ($Cert_Item in $Expired_Certs)

  {

    $Cert_Item_Text += "Expired:" + $Cert_Item.NotAfter.ToShortDateString() + " Subject:" + $Cert_Item.Subject + "<br>"

  }

$Cert_Item_Text

"Statistic.ExpiringSoon: " + $Expiring_Soon_Certs.Count

$Cert_Item_Text = "Message.ExpiringSoon: "

Foreach ($Cert_Item in $Expiring_Soon_Certs)

  {

    $Cert_Item_Text += "Expiring:" + $Cert_Item.NotAfter.ToShortDateString() + " Subject:" + $Cert_Item.Subject + "<br>"

  }

$Cert_Item_Text

"Statistic.Expiring: " + $Expiring_Certs.Count

$Cert_Item_Text = "Message.Expiring: "

Foreach ($Cert_Item in $Expiring_Certs)

  {

    $Cert_Item_Text += "Expiring:" + $Cert_Item.NotAfter.ToShortDateString() + " Subject:" + $Cert_Item.Subject + "<br>"

  }

$Cert_Item_Text

Bah.. this "Works" but throws errors and doesn't pull ALL the certs even when run as Admin.  I really hate Windows...

$Remote_Server="Servername"

$Expired_Certs = invoke-command -computername $Remote_Server {Get-ChildItem –RECURSE –Path cert: -ExpiringInDays 0}

$Expiring_Soon_Certs = invoke-command -computername $Remote_Server {Get-ChildItem –RECURSE –Path cert: -ExpiringInDays 30}

$Expiring_Certs = invoke-command -computername $Remote_Server {Get-ChildItem –RECURSE –Path cert: -ExpiringInDays 90}

"Statistic.Expired: " + $Expired_Certs.Count

$Cert_Item_Text ="Message.Expired: "

Foreach ($Cert_Item in $Expired_Certs)

  {

    $Cert_Item_Text += "Expired:" + $Cert_Item.NotAfter.ToShortDateString() + " Subject:" + $Cert_Item.Subject + "<br>"

  }

$Cert_Item_Text

"Statistic.ExpiringSoon: " + $Expiring_Soon_Certs.Count

$Cert_Item_Text = "Message.ExpiringSoon: "

Foreach ($Cert_Item in $Expiring_Soon_Certs)

  {

    $Cert_Item_Text += "Expiring:" + $Cert_Item.NotAfter.ToShortDateString() + " Subject:" + $Cert_Item.Subject + "<br>"

  }

$Cert_Item_Text

"Statistic.Expiring: " + $Expiring_Certs.Count

$Cert_Item_Text = "Message.Expiring: "

Foreach ($Cert_Item in $Expiring_Certs)

  {

    $Cert_Item_Text += "Expiring:" + $Cert_Item.NotAfter.ToShortDateString() + " Subject:" + $Cert_Item.Subject + "<br>"

  }

$Cert_Item_Text

Hi we use below script to check all certificates that will expire within 30 days on a machine. Not only certificates bount to a website but all of them (That is local machine certificates, not use certificates) Seem to work.

    [CmdletBinding()]

    [OutputType([String])]

    Param

    (

        #Specify thumpprint of certificate to be excluded.

        [Parameter(Mandatory=$false)]

        [String[]]

        $ThumbprintExclude,

        [Parameter(Mandatory=$False)]

        [int]

        #Specify what expiration day to look for in days from now.

        $Days = '30'

    )

    Process

    {

       

        $certstore = Get-ChildItem Cert:\LocalMachine\My  | Where {$_.NotAfter -lt  (Get-Date).AddDays($days) }

        IF ($ThumbprintExclude -ne $null){

            Foreach ($thumbprint in $ThumbprintExclude){

                $certstore = $certstore | where {$_.Thumbprint -ne $thumbprint}

            }

        }

        $certstore | ForEach-Object {

        Write-host "Message: Certificate with subject" $_.Subject "will expire on" $_.NotAfter

        }

        Write-host "Statistic:" $certstore.Count

    }

Level 9

Hey leigham martin

Yup that helped, thank you so much. So if I want to monitor multiple certificated can I bind them with multiple ports and get all the certificates fetched from the server? I want to monitor multiple certificates installed on a same server.

0 Kudos

farhood​ Hi!

Thats good news, it depends i guess on what your certificates are for, if your using an exchange server for example, you can monitor the SSL ports for IMAP, SMTP and HTTPS (443) with the SSL Certificate monitor. Personally i would use 3 separate SSL monitors but configure them on the same box just different ports if that makes sense?

But yes, if you have multiple certs running on different ports/services you should be able to monitor each one with individual monitors.

Regards,

L.

Hey leigham martin

Yup I got your point, you actually showed me a new way Most of the certificated are from web servers where different websites are hosted with their certificates. I ma going to try it today and will let you know it its working or not, using multiple monitors for multiple certificates on a same server.

Regards,


Farhood.

0 Kudos
Level 10

Hello farhood

if its the default SSL cert monitor thats built into SAM your talking about then by default it will monitor a certificate thats presented on port 443 (HTTPS) such as https://website.mydomain.co.uk for example.

The description for the monitor is:

This component monitor tests a web server's ability to accept incoming sessions over a secure channel and then test the security certificate's expiration date.

By default, this monitor tests TCP port 443.

More information about this monitor can be found in in the SAM Administrator's Guide.

If you wanted to monitor an IMAP certificate for example which would be on your exchange server you would use the SSL Cert Monitor but amend the port to 993, that way the monitor looks at port 993 to check the certificate expiry.

pastedImage_1.png

Amend the port on the monitor to one you want to monitor.

Does that help?

Regards,

L.

View solution in original post