New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


Monitoring SSL Certificates with PRTG

Votes:

0

Your Vote:

Up

Down

I want to use a sensor to monitor my SSL Certificates so that it tells me when they are about to expire. Anyone know if this is possible?

custom-sensor expire prtg sensor ssl wishlist

Created on Jul 20, 2010 8:07:47 AM by  Glenn Olsen (0) 1

Last change on Jul 20, 2010 10:30:21 AM by  Daniel Zobel [Paessler Support]



Best Answer

Accepted Answer

Votes:

0

Your Vote:

Up

Down

Hello there and thank you for your KB-Post.

As of September 2015 it is possible to monitor a certificate's expiration with the native/built-in SSL Certificate sensor. It monitors, among other things, the "Days to Expiration". If you wish to use this sensor, please proceed as follows:

Usage Instructions/Example

  1. Create a new device with the FQDN of the host were the sensor is being used. For example www.paessler.com
  2. After the device was created, deploy a SSL Certificate sensor on the newly created device.
    1. When monitoring a regular HTTPS (443) website, use the default settings
    2. When monitoring a website that is hosted using Virtual Hosts, enter a Virtual Host (SNI Domain) in the sensor's settings, usually the same as the device's FQDN (in this case www.paessler.com)
    3. Press Continue to deploy the sensor
  3. The sensor should come up (green) after a couple of minutes. Once it does, confirm via the sensor's message that the correct certificate is being monitored. The message will look somewhat like this:
OK. Certificate Common Name: *.paessler.com - Certificate Thumbprint: 4F23ED83F2681EE442F8DE4521D80F5AF46B1F41

Important Notes

  • Newly deployed sensors (as of PRTG version 17.4.35.3441) will have the following default limits for the certificate's expiration:
Lower Warning Limit28 (days)
Lower Error Limit7 (days)

If you want to be alerted earlier, please update the limits accordingly.

  • Sensors deployed previously to version 17.4.35 may not have any limits. Please double-check or re-deploy the sensors to have them created with limits.
  • While the sensor monitors port 443 by default, you can monitor the SSL Certificate of any reachable TCP socket that supports standard TLS/SSL.
  • Sockets/webservers that don't implement SNI may produce errors when specifying an SNI host, if unsure leave the Virtual Host (SNI Domain) in the sensor's settings empty.
  • Consider using a slow scanning interval (for example, 12 hours) since the certificate won't get any older more than once a day, so checking it every 30s will produce unnecessary network, PRTG and webserver load.
  • If you get errors due to the certificate's revocation check, please refer to:

More

We also have a KB-Post comparing the new "SSL Certificate" sensor with the old (and deprecated) HTTP SSL Certificate Expiry. Please check the post below for details:


Best Regards,
Luciano Lingnau [Paessler Support]

Created on Feb 16, 2018 9:23:58 AM by  Luciano Lingnau [Paessler Support]

Last change on Feb 16, 2018 9:35:35 AM by  Luciano Lingnau [Paessler Support]



10 Replies

Votes:

0

Your Vote:

Up

Down

PRTG's HTTP Sensor types do not discern between valid and invalid certificates. So, monitoring if an SSL certificate is still valid would only be possible using some custom sensor or script (possibly in combination with cURL?).

Maybe another PRTG user has an idea?

Created on Jul 20, 2010 10:34:02 AM by  Daniel Zobel [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Whats also important here is that I get a sensor reading BEFORE it expires, otherwise it would no point. Was thinking about creating a script which dumped the number of days to expire data into a log file and got it with the log sensor. Like <20 days = warning, <10 days= error.

I have no experience with use of cURL

Created on Jul 20, 2010 11:37:00 AM by  Glenn Olsen (0) 1



Votes:

0

Your Vote:

Up

Down

Thanks for this, but I think there must be a error. If i run the file in DOS it works like it should, it reports the number of days until it expires. PRTG however reports a random number between 0 and 100 it seems, with using primary channel#. To setup alarms I kinda need the days value reported so i can set some thresholds.

Created on Jul 21, 2010 7:54:51 AM by  Glenn Olsen (0) 1



Votes:

0

Your Vote:

Up

Down

Dear Glenn,

please check if you have accidently chosen Demo EXE - Returns a random integer.exe as EXE/script file. This is the default setting when adding a Custom EXE sensor.

If so, please set the sensor anew and make sure you select the right file from the EXE/Script drop down menu.

Created on Jul 21, 2010 10:42:33 AM by  Daniel Zobel [Paessler Support]

Last change on Jul 21, 2010 10:43:35 AM by  Daniel Zobel [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi Glen,

What is the url you are using with this sensor?

Created on Jul 21, 2010 10:45:55 AM by  PRTG Tools Family [prtgtoolsfamily.com] (12,885) 3 4



Votes:

0

Your Vote:

Up

Down

I tried to add the sensor so many times the random integer was activated on the last one. But i still get error when polling towards a site with SSL that requires password (it still works in command line in DOS). Took some time figuring out the parameter was "-u then "=".

Now my error msg is: (401 Unautherized), or (500) Internal Server Error (both IIS messages, get the same msg in the DOS prompt but still returns me the value).

I'm trying vs https://zmail-01.hikt.no/ and https://kunde.toco.as

Created on Jul 21, 2010 11:03:42 AM by  Glenn Olsen (0) 1



Votes:

0

Your Vote:

Up

Down

Hi Glen,

There indeed was an issue with SSL that requires a password. This is fixed in the version that is currently available for download (1.0.1.2)

Created on Jul 21, 2010 6:04:10 PM by  PRTG Tools Family [prtgtoolsfamily.com] (12,885) 3 4

Last change on Jul 22, 2010 9:16:45 AM by  Patrick Hutter [Paessler Support] (7,164) 3 3



Votes:

0

Your Vote:

Up

Down

I have downloaded the new WinCertExpiration.exe file. I have put it in the appropriate folder on my probe. I am able to select it from the drop down in the sensor creation screen. I enter the parameters that work on the server that I'm trying to monitor, but the sensor itself says that it can't find the cert

Command on the box (running as admin): C:\Users\user1\Desktop>WinCertExpiration.exe -h=server.domain.dc -t=%correctthumbprint% 13.2.1.3 Connecting to certificate store LocalMachine/Root on local machine. Looking up certificate in store 'LocalMachine/Root'. 2828:The certificate expires in 2828 days.

The sensor that I've create with the exact same parameters returns "Certificate Not Found"

Created on Nov 14, 2014 9:07:02 PM by  esdlicensing (0) 1



Votes:

0

Your Vote:

Up

Down

Hi,

Please can the link to this be checked? I am unable to download the custom sensor

Thanks Jack

Created on Feb 15, 2018 11:43:37 AM by  JackWheeler (0) 1



Accepted Answer

Votes:

0

Your Vote:

Up

Down

Hello there and thank you for your KB-Post.

As of September 2015 it is possible to monitor a certificate's expiration with the native/built-in SSL Certificate sensor. It monitors, among other things, the "Days to Expiration". If you wish to use this sensor, please proceed as follows:

Usage Instructions/Example

  1. Create a new device with the FQDN of the host were the sensor is being used. For example www.paessler.com
  2. After the device was created, deploy a SSL Certificate sensor on the newly created device.
    1. When monitoring a regular HTTPS (443) website, use the default settings
    2. When monitoring a website that is hosted using Virtual Hosts, enter a Virtual Host (SNI Domain) in the sensor's settings, usually the same as the device's FQDN (in this case www.paessler.com)
    3. Press Continue to deploy the sensor
  3. The sensor should come up (green) after a couple of minutes. Once it does, confirm via the sensor's message that the correct certificate is being monitored. The message will look somewhat like this:
OK. Certificate Common Name: *.paessler.com - Certificate Thumbprint: 4F23ED83F2681EE442F8DE4521D80F5AF46B1F41

Important Notes

  • Newly deployed sensors (as of PRTG version 17.4.35.3441) will have the following default limits for the certificate's expiration:
Lower Warning Limit28 (days)
Lower Error Limit7 (days)

If you want to be alerted earlier, please update the limits accordingly.

  • Sensors deployed previously to version 17.4.35 may not have any limits. Please double-check or re-deploy the sensors to have them created with limits.
  • While the sensor monitors port 443 by default, you can monitor the SSL Certificate of any reachable TCP socket that supports standard TLS/SSL.
  • Sockets/webservers that don't implement SNI may produce errors when specifying an SNI host, if unsure leave the Virtual Host (SNI Domain) in the sensor's settings empty.
  • Consider using a slow scanning interval (for example, 12 hours) since the certificate won't get any older more than once a day, so checking it every 30s will produce unnecessary network, PRTG and webserver load.
  • If you get errors due to the certificate's revocation check, please refer to:

More

We also have a KB-Post comparing the new "SSL Certificate" sensor with the old (and deprecated) HTTP SSL Certificate Expiry. Please check the post below for details:


Best Regards,
Luciano Lingnau [Paessler Support]

Created on Feb 16, 2018 9:23:58 AM by  Luciano Lingnau [Paessler Support]

Last change on Feb 16, 2018 9:35:35 AM by  Luciano Lingnau [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.