What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Unable to check revocation status

Votes:

0

Your Vote:

Up

Down

We have several SSL certificates which we would like to monitor. The internal CA is publishing a CRL and this file can be reached from PRTG Server (has been tested). The CRL is mentioned in the certificate, this also has been checked. The internal CA is also in the trusted root as this channel is ok.

But the SSL certificate sensor is still in the warning state for all internal CAs:

Warning by lookup value 'Unable to check revocation status' in channel 'Revoked' (OK. Certificate Common Name:[...])

certificate revocation ssl

Created on May 11, 2021 5:56:08 AM by  maxmichels (0) 1

Last change on May 11, 2021 6:19:36 AM by  Felix Wiesneth [Paessler Support]



5 Replies

Votes:

0

Your Vote:

Up

Down

Hello,

This is because your internal CA is a not a trusted top-level CA. This sensor will work correctly with self-signed or certs issued by an internal CA. You must use it with a cert you purchase from a certificate authority.

Let me know if you have any questions.

Benjamin Day
[Paessler Support]

Created on May 12, 2021 4:08:20 AM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello Benjamin,

so you are telling the sensor does not work like everyone would expect and check the CRL statet in the certificate? We have an non-public CA, which is trusted by the PRTG Core (Channel Root Authority truested is Yes). But the sensor refuses to check the CRL stated within the certificate because it is not a paid/public CA?! Where is the difference between public CA and non-public CA for the sensor? It could also be a paid CA which is not public. Like Telekom Trusted Business CA. How does the sensor know if the CA is paid??

Max

Created on May 12, 2021 7:59:43 AM by  maxmichels (0) 1



Votes:

0

Your Vote:

Up

Down

Max,

The main reason being that we cannot validate a Root CA within an organization. Our sensor relies on 3rd parties for certificate validation, and signature validation. Unfortunately, we do not have a sensor that can take into account local root CAs at this time. You can request this as a feature request by following the link below.

https://kb.paessler.com/en/topic/79245-how-can-i-propose-new-features-or-sensors-for-prtg

Benjamin Day
[Paessler Support]

Created on May 12, 2021 6:30:18 PM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello Benjamin,

one question: how can i disable this channel on non-public certificates so the sensor is not in the warning state all the time?

Max

Created on May 27, 2021 8:12:03 AM by  maxmichels (0) 1



Votes:

0

Your Vote:

Up

Down

Max,

At this time, we do not have any means of disabling channels on sensors. However, you can remove the channel's ability to alert. Click on the channel in question, and in the Channel Settings set the Lookup to none. This will remove that channel's ability to set the sensor status.

Benjamin Day
[Paessler Support]

Created on May 27, 2021 8:45:08 PM by  Benjamin Day [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.