Advanced SSL Certificate monitoring

Nowadays secure connections are common, sites/servers without certificates are flagged as 'unsafe' and people tend to avoid such places on the web. This article will demonstrate how you can easily monitor not only if certificates are about to expire or expired but several other properties included in it.

SSL Certificate sensor

Pre-Requisites

This sensor (as all of the sensors in NetCrunch) can be added directly to the node. To start monitoring - node, where the certificate is located, needs to be added to the NetCrunch atlas.

For the purpose of this article - apache.adremsoft.com node will be used.

Sensor Capabilities

The sensor can check any SSL/TLS connection. It can check the SSL certificate expiration date and other certificate properties. Additionally, this sensor can check any certificate field.

If the test is run against any certificate - it's possible to view all fields and properties of the certificate. If any of these fields is invalid - NetCrunch will display a warning.

Default Alerts

Most of the sensors in NetCrunch come with pre-configured alerts that are added by default. SSL Certificate is no exception - it contains multiple alerts that are added even before the sensor is saved.

Default alerts will cover most of the cases in terms of basic monitoring - expiration, revoking, certificate changes, unsafe connections, a weak public key, and invalid CA.

Additional alerts in the sensor

Alerts above aren't only ones that can be configured. For individual cases, it's possible to monitor a lot more detailed information in the certificate - for example cipher used in a cert.

To add such alert:

1. Click on +Add alert button
2. Select New Event on SSL Connection property conformance
3. Click on a + icon - make sure that cipher is selected from the drop-down menu
4. Create an expression that will check if the proper cipher is used
5. Select a name for the alert and save everything.

The moment that NetCrunch discovers that cipher isn't what it should be - an alert will be raised - with all important information in it.

Sensor template

If only one certificate is used - it's easy to keep track of the expiration date. If you need to track more than one certificate - things are getting harder to remember.

If all certificates should be monitored in exactly the same way (configuration of the sensor), it's best to use templating - it makes managing and configuring the monitoring setting much easier.

Template Creation

To create a template - click on + icon in the top right corner of the NetCrunch console and select 'Node Monitoring Template'

NetCrunch will ask for a name for the newly created Template.

If there is a node that is configured the way it should be configured on all nodes that will be using a template - use option Create from existing node

Template Configuration

Configuration of the template looks exactly the same as the configuration of any node, For the purpose of this article, all segments apart of Monitoring Sensors will be excluded (they will not take configuration from the template)

1. Exclude all sections (Node, Network Services, SNMP)
2. Include Monitoring Sensors
3. Add monitoring sensor - select the SSL certificate
4. Select the reference node (Node against which the configuration will be tested - it's the best is to select the node where SSL cert is present)
5. Add/Remove alerts
6. Save everything
7. Select a node (or a group of the nodes) where a template should be used
8. Open Node settings and click on icon in top right corner
9. Pick your template and save

Now all nodes will take sensor configuration from the node template. If anything needs to be changed globally - simply change it in the template - all nodes will inherit changes instantly.

certcertificateftpshttpssecuresftpsslwebsite