Here's a guide on how to setup monitoring for SSL certificates
It is important to ensure that the SSL certificates used in services that are fronting users or for secure communication are valid otherwise, we risk service outage because of expired certificates.
The SSL monitoring script
Using the monitoring script "SSL Certificate Check" written by Matty, we can use it to monitor the SSL certificates either by verifying the certificate itself or querying the status through the application services.
Link to detailed documentation at SSL Certificate Check
How to set it up.
I am using the script v3.21 dated Oct 2010 in the example.
1) Download at SSL Certificate Check Script
2) Deploy it to a suitable location. Give it execute permission at least 0700.
I have configured the script to the following
# Who to page when an expired certificate is detected (cmdline: -e) ADMIN="admin@myserver.com" # Number of days in the warning threshhold (cmdline: -x) WARNDAYS=100 # If QUIET is set to TRUE, don't print anything on the console (cmdline: -q) QUIET="FALSE" # Don't send E-mail by default (cmdline: -a) ALARM="TRUE" # Don't run as a Nagios plugin by default (cmdline: -n) NAGIOS="FALSE"where the script will notify via email (default) when the certificate has less than 100 days of validity. It will print out to console. If you don't need it, change QUIET to "TRUE".
If you require to override the default settings in the script, you can use the following switches
#./sslcertcheck
Usage: ./sslcertcheck [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]
{ [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }
-a : Send a warning message through E-mail
-b : Will not print header
-c cert file : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
-e E-mail address : E-mail address to send expiration notices
-f cert file : File with a list of FQDNs and ports
-h : Print this screen
-i : Print the issuer of the certificate
-k password : PKCS12 file password
-n : Run as a Nagios plugin
-p port : Port to connect to (interactive mode)
-s commmon name : Server to connect to (interactive mode)
-q : Don't print anything on the console
-v : Only print validation data
-x days : Certificate expiration interval (eg. if cert_date < days)
Requirements.mktemp package needs to be available in the server.
Usage
1) Running the script against the certificate file.
$ sslcertcheck -c /etc/httpd/conf/ssl.crt/abc.pem Host Status Expires Days Left ----------------------------------------------- ------------ ------------ ---------- FILE:/etc/httpd/conf/ssl.crt/abc.pem Valid Jan 2 2010 807sslcertcheck will print the file or hostname in the first column, a value to indicate if the certifciate is valid in the second column, the date the certificate will expire in the third column, and the number of days remaining until the certificate expires in the fourth column.
2) If you do not have local access to the certificate files, you can use sslcertcheck's network connectivity option to extract the certificate expiration date from a live server. To check when the certificate used by the web server will expire, the server name or IP address and a port number can be passed to sslcertcheck's "-s" (server name) and "-p" (tcp port) options:
#./sslcertcheck -s 172.21.41.136 -p 443 Host Status Expires Days ----------------------------------------------- ------------ ------------ ---- 172.2.1.1:443 Valid Jul 24 2011 1283) You may want to manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run sslcertcheck against that file:
The configuration file.
$ cat sslcertcheck.cfg 10.10.8.1 443 10.10.8.7 443 172.2.1.1 443The output from the script with setting whom to email when any entry has validity less than threshold.
# ./sslcertcheck -e admin@me.com -f sslcertcheck.cfg Host Status Expires Days ----------------------------------------------- ------------ ------------ ---- 10.10.8.1:443 Valid Nov 14 2013 972 10.10.8.7:443 Valid Jan 20 2014 1039 172.2.1.1:443 Valid Jul 24 2011 128Thats all folks!
No comments:
Post a Comment