Monday, September 12, 2011

SSL Certificate Monitoring

Here's a guide on how to setup monitoring for SSL certificates

It is important to ensure that the SSL certificates used in services that are fronting users or for secure communication are valid otherwise, we risk service outage because of expired certificates.

The SSL monitoring script

Using the monitoring script "SSL Certificate Check" written by Matty, we can use it to monitor the SSL certificates either by verifying the certificate itself or querying the status through the application services.

Link to detailed documentation at SSL Certificate Check

How to set it up.

I am using the script v3.21 dated Oct 2010 in the example.

1) Download at SSL Certificate Check Script

2) Deploy it to a suitable location. Give it execute permission at least 0700.

I have configured the script to the following

# Who to page when an expired certificate is detected (cmdline: -e)
ADMIN="admin@myserver.com"

# Number of days in the warning threshhold  (cmdline: -x)
WARNDAYS=100

# If QUIET is set to TRUE, don't print anything on the console (cmdline: -q)
QUIET="FALSE"

# Don't send E-mail by default (cmdline: -a)
ALARM="TRUE"

# Don't run as a Nagios plugin by default (cmdline: -n)
NAGIOS="FALSE"
where the script will notify via email (default) when the certificate has less than 100 days of validity. It will print out to console. If you don't need it, change QUIET to "TRUE".

If you require to override the default settings in the script, you can use the following switches

#./sslcertcheck
Usage: ./sslcertcheck [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]
       { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }

  -a                : Send a warning message through E-mail
  -b                : Will not print header
  -c cert file      : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
  -e E-mail address : E-mail address to send expiration notices
  -f cert file      : File with a list of FQDNs and ports
  -h                : Print this screen
  -i                : Print the issuer of the certificate
  -k password       : PKCS12 file password
  -n                : Run as a Nagios plugin
  -p port           : Port to connect to (interactive mode)
  -s commmon name   : Server to connect to (interactive mode)
  -q                : Don't print anything on the console
  -v                : Only print validation data
  -x days           : Certificate expiration interval (eg. if cert_date < days)
Requirements.

mktemp package needs to be available in the server.

Usage

1) Running the script against the certificate file.

$ sslcertcheck -c /etc/httpd/conf/ssl.crt/abc.pem
Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
FILE:/etc/httpd/conf/ssl.crt/abc.pem            Valid        Jan 2 2010   807   
sslcertcheck will print the file or hostname in the first column, a value to indicate if the certifciate is valid in the second column, the date the certificate will expire in the third column, and the number of days remaining until the certificate expires in the fourth column.

2) If you do not have local access to the certificate files, you can use sslcertcheck's network connectivity option to extract the certificate expiration date from a live server. To check when the certificate used by the web server will expire, the server name or IP address and a port number can be passed to sslcertcheck's "-s" (server name) and "-p" (tcp port) options:

#./sslcertcheck -s 172.21.41.136 -p 443

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
172.2.1.1:443                               Valid        Jul 24 2011  128
3) You may want to manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run sslcertcheck against that file:

The configuration file.

$ cat sslcertcheck.cfg
10.10.8.1 443
10.10.8.7 443
172.2.1.1 443
The output from the script with setting whom to email when any entry has validity less than threshold.

# ./sslcertcheck -e admin@me.com -f sslcertcheck.cfg 

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
10.10.8.1:443                                 Valid        Nov 14 2013  972
10.10.8.7:443                                 Valid        Jan 20 2014  1039
172.2.1.1:443                               Valid        Jul 24 2011  128
Thats all folks!

No comments: