What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Monitoring SSL Certificates with PRTG

Votes:

1

I want to use a sensor to monitor my SSL Certificates so that it tells me when they are about to expire. Anyone know if this is possible?

custom-sensor expire prtg sensor ssl wishlist

Created on Jul 20, 2010 8:07:47 AM

Last change on Jul 20, 2010 10:30:21 AM by Daniel Zobel [Product Manager]



Best Answer

Accepted Answer

Votes:

1

Hello there and thank you for your KB-Post.

As of September 2015 it is possible to monitor a certificate's expiration with the native/built-in SSL Certificate sensor. It monitors, among other things, the "Days to Expiration". If you wish to use this sensor, please proceed as follows:

Usage Instructions/Example

  1. Create a new device with the FQDN of the host were the sensor is being used. For example www.paessler.com
  2. After the device was created, deploy a SSL Certificate sensor on the newly created device.
    1. When monitoring a regular HTTPS (443) website, use the default settings
    2. When monitoring a website that is hosted using Virtual Hosts, enter a Virtual Host (SNI Domain) in the sensor's settings, usually the same as the device's FQDN (in this case www.paessler.com)
    3. Press Continue to deploy the sensor
  3. The sensor should come up (green) after a couple of minutes. Once it does, confirm via the sensor's message that the correct certificate is being monitored. The message will look somewhat like this:
OK. Certificate Common Name: *.paessler.com - Certificate Thumbprint: 4F23ED83F2681EE442F8DE4521D80F5AF46B1F41

Important Notes

  • Newly deployed sensors (as of PRTG version 17.4.35.3441) will have the following default limits for the certificate's expiration:
Lower Warning Limit28 (days)
Lower Error Limit7 (days)

If you want to be alerted earlier, please update the limits accordingly.

  • Sensors deployed previously to version 17.4.35 may not have any limits. Please double-check or re-deploy the sensors to have them created with limits.
  • While the sensor monitors port 443 by default, you can monitor the SSL Certificate of any reachable TCP socket that supports standard TLS/SSL.
  • Sockets/webservers that don't implement SNI may produce errors when specifying an SNI host, if unsure leave the Virtual Host (SNI Domain) in the sensor's settings empty.
  • Consider using a slow scanning interval (for example, 12 hours) since the certificate won't get any older more than once a day, so checking it every 30s will produce unnecessary network, PRTG and webserver load.
  • If you get errors due to the certificate's revocation check, please refer to:

More

We also have a KB-Post comparing the new "SSL Certificate" sensor with the old (and deprecated) HTTP SSL Certificate Expiry. Please check the post below for details:

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Feb 16, 2018 9:23:58 AM by Luciano Lingnau [Paessler]

Last change on Feb 16, 2018 9:35:35 AM by Luciano Lingnau [Paessler]



10 Replies

Votes:

0

PRTG's HTTP Sensor types do not discern between valid and invalid certificates. So, monitoring if an SSL certificate is still valid would only be possible using some custom sensor or script (possibly in combination with cURL?).

Maybe another PRTG user has an idea?

Created on Jul 20, 2010 10:34:02 AM by Daniel Zobel [Product Manager]



Votes:

0

Whats also important here is that I get a sensor reading BEFORE it expires, otherwise it would no point. Was thinking about creating a script which dumped the number of days to expire data into a log file and got it with the log sensor. Like <20 days = warning, <10 days= error.

I have no experience with use of cURL

Created on Jul 20, 2010 11:37:00 AM



Votes:

0

Thanks for this, but I think there must be a error. If i run the file in DOS it works like it should, it reports the number of days until it expires. PRTG however reports a random number between 0 and 100 it seems, with using primary channel#. To setup alarms I kinda need the days value reported so i can set some thresholds.

Created on Jul 21, 2010 7:54:51 AM



Votes:

0

Dear Glenn,

please check if you have accidently chosen Demo EXE - Returns a random integer.exe as EXE/script file. This is the default setting when adding a Custom EXE sensor.

If so, please set the sensor anew and make sure you select the right file from the EXE/Script drop down menu.

Created on Jul 21, 2010 10:42:33 AM by Daniel Zobel [Product Manager]

Last change on Jul 21, 2010 10:43:35 AM by Daniel Zobel [Product Manager]



Votes:

0

Hi Glen,

What is the url you are using with this sensor?

Created on Jul 21, 2010 10:45:55 AM



Votes:

0

I tried to add the sensor so many times the random integer was activated on the last one. But i still get error when polling towards a site with SSL that requires password (it still works in command line in DOS). Took some time figuring out the parameter was "-u then "=".

Now my error msg is: (401 Unautherized), or (500) Internal Server Error (both IIS messages, get the same msg in the DOS prompt but still returns me the value).

I'm trying vs https://zmail-01.hikt.no/ and https://kunde.toco.as

Created on Jul 21, 2010 11:03:42 AM



Votes:

0

Hi Glen,

There indeed was an issue with SSL that requires a password. This is fixed in the version that is currently available for download (1.0.1.2)

Created on Jul 21, 2010 6:04:10 PM

Last change on Jul 22, 2010 9:16:45 AM by Patrick Hutter [Paessler Support] (7,225) 3 3



Votes:

0

I have downloaded the new WinCertExpiration.exe file. I have put it in the appropriate folder on my probe. I am able to select it from the drop down in the sensor creation screen. I enter the parameters that work on the server that I'm trying to monitor, but the sensor itself says that it can't find the cert

Command on the box (running as admin): C:\Users\user1\Desktop>WinCertExpiration.exe -h=server.domain.dc -t=%correctthumbprint% 13.2.1.3 Connecting to certificate store LocalMachine/Root on local machine. Looking up certificate in store 'LocalMachine/Root'. 2828:The certificate expires in 2828 days.

The sensor that I've create with the exact same parameters returns "Certificate Not Found"

Created on Nov 14, 2014 9:07:02 PM



Votes:

0

Hi,

Please can the link to this be checked? I am unable to download the custom sensor

Thanks Jack

Created on Feb 15, 2018 11:43:37 AM



Accepted Answer

Votes:

1

Hello there and thank you for your KB-Post.

As of September 2015 it is possible to monitor a certificate's expiration with the native/built-in SSL Certificate sensor. It monitors, among other things, the "Days to Expiration". If you wish to use this sensor, please proceed as follows:

Usage Instructions/Example

  1. Create a new device with the FQDN of the host were the sensor is being used. For example www.paessler.com
  2. After the device was created, deploy a SSL Certificate sensor on the newly created device.
    1. When monitoring a regular HTTPS (443) website, use the default settings
    2. When monitoring a website that is hosted using Virtual Hosts, enter a Virtual Host (SNI Domain) in the sensor's settings, usually the same as the device's FQDN (in this case www.paessler.com)
    3. Press Continue to deploy the sensor
  3. The sensor should come up (green) after a couple of minutes. Once it does, confirm via the sensor's message that the correct certificate is being monitored. The message will look somewhat like this:
OK. Certificate Common Name: *.paessler.com - Certificate Thumbprint: 4F23ED83F2681EE442F8DE4521D80F5AF46B1F41

Important Notes

  • Newly deployed sensors (as of PRTG version 17.4.35.3441) will have the following default limits for the certificate's expiration:
Lower Warning Limit28 (days)
Lower Error Limit7 (days)

If you want to be alerted earlier, please update the limits accordingly.

  • Sensors deployed previously to version 17.4.35 may not have any limits. Please double-check or re-deploy the sensors to have them created with limits.
  • While the sensor monitors port 443 by default, you can monitor the SSL Certificate of any reachable TCP socket that supports standard TLS/SSL.
  • Sockets/webservers that don't implement SNI may produce errors when specifying an SNI host, if unsure leave the Virtual Host (SNI Domain) in the sensor's settings empty.
  • Consider using a slow scanning interval (for example, 12 hours) since the certificate won't get any older more than once a day, so checking it every 30s will produce unnecessary network, PRTG and webserver load.
  • If you get errors due to the certificate's revocation check, please refer to:

More

We also have a KB-Post comparing the new "SSL Certificate" sensor with the old (and deprecated) HTTP SSL Certificate Expiry. Please check the post below for details:

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Feb 16, 2018 9:23:58 AM by Luciano Lingnau [Paessler]

Last change on Feb 16, 2018 9:35:35 AM by Luciano Lingnau [Paessler]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.