I want to use a sensor to monitor my SSL Certificates so that it tells me when they are about to expire. Anyone know if this is possible?
Monitoring SSL Certificates with PRTG
Votes:
1
Best Answer
Votes:
1
Hello there and thank you for your KB-Post.
As of September 2015 it is possible to monitor a certificate's expiration with the native/built-in SSL Certificate sensor. It monitors, among other things, the "Days to Expiration". If you wish to use this sensor, please proceed as follows:
Usage Instructions/Example
- Create a new device with the FQDN of the host were the sensor is being used. For example www.paessler.com
- After the device was created, deploy a SSL Certificate sensor on the newly created device.
- When monitoring a regular HTTPS (443) website, use the default settings
- When monitoring a website that is hosted using Virtual Hosts, enter a Virtual Host (SNI Domain) in the sensor's settings, usually the same as the device's FQDN (in this case www.paessler.com)
- Press Continue to deploy the sensor
- The sensor should come up (green) after a couple of minutes. Once it does, confirm via the sensor's message that the correct certificate is being monitored. The message will look somewhat like this:
OK. Certificate Common Name: *.paessler.com - Certificate Thumbprint: 4F23ED83F2681EE442F8DE4521D80F5AF46B1F41 |
Important Notes
- Newly deployed sensors (as of PRTG version 17.4.35.3441) will have the following default limits for the certificate's expiration:
Lower Warning Limit | 28 (days) |
---|---|
Lower Error Limit | 7 (days) |
If you want to be alerted earlier, please update the limits accordingly.
- Sensors deployed previously to version 17.4.35 may not have any limits. Please double-check or re-deploy the sensors to have them created with limits.
- While the sensor monitors port 443 by default, you can monitor the SSL Certificate of any reachable TCP socket that supports standard TLS/SSL.
- Sockets/webservers that don't implement SNI may produce errors when specifying an SNI host, if unsure leave the Virtual Host (SNI Domain) in the sensor's settings empty.
- Consider using a slow scanning interval (for example, 12 hours) since the certificate won't get any older more than once a day, so checking it every 30s will produce unnecessary network, PRTG and webserver load.
- If you get errors due to the certificate's revocation check, please refer to:
More
We also have a KB-Post comparing the new "SSL Certificate" sensor with the old (and deprecated) HTTP SSL Certificate Expiry. Please check the post below for details:
Best Regards,
Luciano Lingnau [Paessler Support]
Created on Feb 16, 2018 9:23:58 AM by
Luciano Lingnau [Paessler]
Last change on Feb 16, 2018 9:35:35 AM by
Luciano Lingnau [Paessler]
10 Replies
Votes:
0
PRTG's HTTP Sensor types do not discern between valid and invalid certificates. So, monitoring if an SSL certificate is still valid would only be possible using some custom sensor or script (possibly in combination with cURL?).
Maybe another PRTG user has an idea?
Votes:
0
Whats also important here is that I get a sensor reading BEFORE it expires, otherwise it would no point. Was thinking about creating a script which dumped the number of days to expire data into a log file and got it with the log sensor. Like <20 days = warning, <10 days= error.
I have no experience with use of cURL
Votes:
0
Thanks for this, but I think there must be a error. If i run the file in DOS it works like it should, it reports the number of days until it expires. PRTG however reports a random number between 0 and 100 it seems, with using primary channel#. To setup alarms I kinda need the days value reported so i can set some thresholds.
Votes:
0
Dear Glenn,
please check if you have accidently chosen Demo EXE - Returns a random integer.exe as EXE/script file. This is the default setting when adding a Custom EXE sensor.
If so, please set the sensor anew and make sure you select the right file from the EXE/Script drop down menu.
Created on Jul 21, 2010 10:42:33 AM by
Daniel Zobel [Product Manager]
Last change on Jul 21, 2010 10:43:35 AM by
Daniel Zobel [Product Manager]
Votes:
0
Hi Glen,
What is the url you are using with this sensor?
Votes:
0
I tried to add the sensor so many times the random integer was activated on the last one. But i still get error when polling towards a site with SSL that requires password (it still works in command line in DOS). Took some time figuring out the parameter was "-u then "=".
Now my error msg is: (401 Unautherized), or (500) Internal Server Error (both IIS messages, get the same msg in the DOS prompt but still returns me the value).
I'm trying vs https://zmail-01.hikt.no/ and https://kunde.toco.as
Votes:
0
Hi Glen,
There indeed was an issue with SSL that requires a password. This is fixed in the version that is currently available for download (1.0.1.2)
Created on Jul 21, 2010 6:04:10 PM
Last change on Jul 22, 2010 9:16:45 AM by
Patrick Hutter [Paessler Support]
(7,225)
●3
●3
Votes:
0
I have downloaded the new WinCertExpiration.exe file. I have put it in the appropriate folder on my probe. I am able to select it from the drop down in the sensor creation screen. I enter the parameters that work on the server that I'm trying to monitor, but the sensor itself says that it can't find the cert
Command on the box (running as admin): C:\Users\user1\Desktop>WinCertExpiration.exe -h=server.domain.dc -t=%correctthumbprint% 13.2.1.3 Connecting to certificate store LocalMachine/Root on local machine. Looking up certificate in store 'LocalMachine/Root'. 2828:The certificate expires in 2828 days.
The sensor that I've create with the exact same parameters returns "Certificate Not Found"
Votes:
0
Hi,
Please can the link to this be checked? I am unable to download the custom sensor
Thanks Jack
Votes:
1
Hello there and thank you for your KB-Post.
As of September 2015 it is possible to monitor a certificate's expiration with the native/built-in SSL Certificate sensor. It monitors, among other things, the "Days to Expiration". If you wish to use this sensor, please proceed as follows:
Usage Instructions/Example
- Create a new device with the FQDN of the host were the sensor is being used. For example www.paessler.com
- After the device was created, deploy a SSL Certificate sensor on the newly created device.
- When monitoring a regular HTTPS (443) website, use the default settings
- When monitoring a website that is hosted using Virtual Hosts, enter a Virtual Host (SNI Domain) in the sensor's settings, usually the same as the device's FQDN (in this case www.paessler.com)
- Press Continue to deploy the sensor
- The sensor should come up (green) after a couple of minutes. Once it does, confirm via the sensor's message that the correct certificate is being monitored. The message will look somewhat like this:
OK. Certificate Common Name: *.paessler.com - Certificate Thumbprint: 4F23ED83F2681EE442F8DE4521D80F5AF46B1F41 |
Important Notes
- Newly deployed sensors (as of PRTG version 17.4.35.3441) will have the following default limits for the certificate's expiration:
Lower Warning Limit | 28 (days) |
---|---|
Lower Error Limit | 7 (days) |
If you want to be alerted earlier, please update the limits accordingly.
- Sensors deployed previously to version 17.4.35 may not have any limits. Please double-check or re-deploy the sensors to have them created with limits.
- While the sensor monitors port 443 by default, you can monitor the SSL Certificate of any reachable TCP socket that supports standard TLS/SSL.
- Sockets/webservers that don't implement SNI may produce errors when specifying an SNI host, if unsure leave the Virtual Host (SNI Domain) in the sensor's settings empty.
- Consider using a slow scanning interval (for example, 12 hours) since the certificate won't get any older more than once a day, so checking it every 30s will produce unnecessary network, PRTG and webserver load.
- If you get errors due to the certificate's revocation check, please refer to:
More
We also have a KB-Post comparing the new "SSL Certificate" sensor with the old (and deprecated) HTTP SSL Certificate Expiry. Please check the post below for details:
Best Regards,
Luciano Lingnau [Paessler Support]
Created on Feb 16, 2018 9:23:58 AM by
Luciano Lingnau [Paessler]
Last change on Feb 16, 2018 9:35:35 AM by
Luciano Lingnau [Paessler]
Add comment