What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Unable to check revocation status

Votes:

0

We have several SSL certificates which we would like to monitor. The internal CA is publishing a CRL and this file can be reached from PRTG Server (has been tested). The CRL is mentioned in the certificate, this also has been checked. The internal CA is also in the trusted root as this channel is ok.

But the SSL certificate sensor is still in the warning state for all internal CAs:

Warning by lookup value 'Unable to check revocation status' in channel 'Revoked' (OK. Certificate Common Name:[...])

certificate revocation ssl

Created on May 11, 2021 5:56:08 AM

Last change on May 11, 2021 6:19:36 AM by Felix Wiesneth [Paessler Support]



7 Replies

Votes:

0

Hello,

This is because your internal CA is a not a trusted top-level CA. This sensor will work correctly with self-signed or certs issued by an internal CA. You must use it with a cert you purchase from a certificate authority.

Let me know if you have any questions.

Benjamin Day
[Paessler Support]

Created on May 12, 2021 4:08:20 AM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Hello Benjamin,

so you are telling the sensor does not work like everyone would expect and check the CRL statet in the certificate? We have an non-public CA, which is trusted by the PRTG Core (Channel Root Authority truested is Yes). But the sensor refuses to check the CRL stated within the certificate because it is not a paid/public CA?! Where is the difference between public CA and non-public CA for the sensor? It could also be a paid CA which is not public. Like Telekom Trusted Business CA. How does the sensor know if the CA is paid??

Max

Created on May 12, 2021 7:59:43 AM



Votes:

0

Max,

The main reason being that we cannot validate a Root CA within an organization. Our sensor relies on 3rd parties for certificate validation, and signature validation. Unfortunately, we do not have a sensor that can take into account local root CAs at this time. You can request this as a feature request by following the link below.

https://kb.paessler.com/en/topic/79245-how-can-i-propose-new-features-or-sensors-for-prtg

Benjamin Day
[Paessler Support]

Created on May 12, 2021 6:30:18 PM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Hello Benjamin,

one question: how can i disable this channel on non-public certificates so the sensor is not in the warning state all the time?

Max

Created on May 27, 2021 8:12:03 AM



Votes:

0

Max,

At this time, we do not have any means of disabling channels on sensors. However, you can remove the channel's ability to alert. Click on the channel in question, and in the Channel Settings set the Lookup to none. This will remove that channel's ability to set the sensor status.

Benjamin Day
[Paessler Support]

Created on May 27, 2021 8:45:08 PM by Benjamin Day [Paessler Support] (1,441) 2 1



Votes:

0

Are there any news if this function is added since the last post? Is there a function request open for checking non-public CAs?

Kind regards Julian

Created on Jan 24, 2023 9:57:57 AM



Votes:

0

Hello jkellermeier,

Thank you for the post, there's no change in regards to this, something else you could try is to create an EXE/XML sensor, however you need to have knowledge to create a script that checks this and returns a value to PRTG to just report either OK or Bad. Steps to create the the sensor: https://www.paessler.com/manuals/prtg/exe_script_sensor

Created on Jan 27, 2023 3:00:09 AM by Oscar Chavarria [Paessler Technical Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.