Skip to technology filters Skip to main content
Dynatrace Hub

Extend the platform,
empower your team.

Popular searches:
Home hero bg
SSL Certificate MonitorSSL Certificate Monitor
SSL Certificate Monitor

SSL Certificate Monitor

Discover, view and log SSL certificates. Raise configurable expiration alerts.

Extension
Free trial
Overview dashboardCertificate listCertificate detail screenCertificate problem and loggingProblem creationHighly configurable
  • Product information
  • Release notes

Overview

The SSL Certificate Monitor extension can be deployed on an ActiveGate or on any host with the OneAgent installed.

Both deployments types have configurable alerting intervals, allowing the raising of low severity problems for certificates in a user defined renewal window as well as a high severity alerts for imminently approaching expiration dates.

When deployed on an ActiveGate, the extension can be configured to perform certificate checks by specifying specific domains to check.

When deployed on an OneAgent, the extension will attempt certificate auto-discovery using data provided by the OneAgent.

Get started

Monitor Remotely

The purpose of remote monitoring deployment is to enable certificate monitoring by domain. This type of monitoring requires that the ActiveGate running the extension has access to the domains that are provided. Adjustments to networking and firewall rules may be required. When this deployment model is chosen, certificate discovery is disabled and a list of domains must be provided to enable certificate monitoring.

Choose, "Monitor Remotely without OneAgent" to choose this installation type and choose the ActiveGate group that you would like the extension to run on.

Monitor Locally

Local monitoring is required for certificate auto-discovery using the OneAgent. The extension will install on selected hosts. Currently, hosts can be selected by name, host group, management zone or tag (using the Environment configuration).

Once the deployment option is selected, proceed to configure the extension.

Details

Configuration

General Settings

Expiration Imminent: The highest level of alerting, indicating that certificate expiration is imminent. Crossing this threshold triggers a problem with the AVAILABILITY severity. Expired certificates will also alert at this alert level.

Expiration Soon: The initial alerting level. Crossing this threshold triggers a problem with the ERROR severity. The certificate not_valid_after date requires attention but expiration is not yet imminent.

Interval between certificate discovery and metadata checks (hours): The frequency with which the extension will update discovered certificates and process the available data. During initial setup and testing, a smaller value may be appropriate. Once the extension is fully configured, an interval of 8 hours is recommended.

In addition to determining how often certificate discovery and metadata updates take place, the check interval determines how problems are resolved. All certificate problems will remain open until a certificate check can confirm that the problem has been resolved. An interval of 24 hours will cause a certificate problem to remain open a minimum of 24 hours. The problem will not resolve until the next check can determine if the problem is resolved.

Unified Analysis Screens and Certificate Status Metric: Unified Analysis Screens contain metadata on all discovered certificates. This features requires the collection of data using the Certificate Status metric (certificate.monitor.status). For the best experience, it is recommended to enable metric collection. When disabled, extension functionality is limited to alert creation and log events. This option consumes DDUs.

Annual DDU consumption is calculated using the following formula: <# of discovered certificates> x <24 / certificate check interval (hours)> x 365 x 0.001. e.g., A single certificate checked every 8 hours will consume  ~3 (1 x (24/3) x 365 x 0.001) DDUs per year

Advanced Alerting Configuration

Enabling "Advanced Alerting Configuration" provides two additional options to customize alert creation.

Enable alert creation

Disabling alert creation stops all alerts from being created by the extension. This is useful for customers who want to keep an inventory of certificates but not alert on them.

Disable alerts for certificates greater than x days old

By default, alerts will be raised for all expired certificates. Many environments contain long-expired certificates that have not been removed. Enable this feature to suppress problems for certificates that expired more than x days ago.

Port Range Customization

Optional feature to define inclusive and exclusive port ranges during certificate discovery.

Port range to include: A range of ports can be expressed with a hyphen. Individual or groups of ports can be separated with a semicolon. i.e. 443;1024-2000;50000-51000

Port range to exclude: An optional range of ports to exclude. This setting is applied after the include rule. For example, if ports 400-410 are included and port 405 is excluded, the resulting set of ports will be 400-404 and 406-410.

Filter processes by technology type

Optional setting to limit certificate checks to specific technology types. This filter can be set to include only the technologies listed or to exclude the technologies listed from monitoring.

Add Technology: Add a technology to the filter defined above. The technology types available are the "Main Technology" types that are present in process views. Some processes will show multiple entries under "Main technology". Technology type filter uses OR logic. A process that lists "IIS, IIS App Pool and .NET" as main technologies will be monitored if any combination of the technologies is added to this filter.

Add additional SNI domains

Optional setting to configure additional SNI (Server Name Indication) domains

Add Domain: An advanced setting to provide a list of domains to use in with Server Name Indication. SNI is an extension to the TLS protocol which is used in HTTPS. Use this setting to specify the domain name of a website during the initial TLS Handshake instead of when the HTTPS connection opens after the handshake.

Log certificate status

Log certificate status interval: The extension will log event metadata when a certificate is in a warning state. In addition, the extension will also periodically log certificate metadata of certificates in a healthy state. The purpose of this setting is to make it possible to query for certificate metadata regardless of the health state of the certificate.

Check hosts by domain name

Optional list of domains to check directly. The extension will attempt to open a connection to the domains provided. This feature requires that the extension host is able to establish a connection to the domain. Domain monitoring is possible in local installations but it is recommended to deploy this extension remotely (on an ActiveGate) for domain based monitoring.

Add domain: Optionally provide a list of domains that they extension will check directly.

Enable Debug

Check this box to enable debug level logging. Logs are available (by default) on Linux at: /var/lib/dynatrace/remotepluginmodule/log/extensions/datasources and on Windows at: C:\ProgramData\dynatrace\remotepluginmodule\log\extensions\datasources

Compatibility information

Auto-discovery relies on OneAgent monitored processes having "listening port" metadata. In cases where port information is not available, auto-discovery will fail. Future versions will expand support to cover a wider variety to scenarios.

Support for certificate auto-discovery on IIS web servers is currently experimental.

Troubleshooting

Auto-discovery failures

Most auto-discovery failures are due to lack of "Port" metadata on Dynatrace monitored processes. If auto-discovery fails, the "Monitor by domain" feature will cover some scenarios. This feature allows the monitoring of certificates by domain name.

Future versions will expand Auto-discovery to cover a wider range of scenarios.

Please open a support ticket with Dynatrace Support to document your use case and help improve future versions.

Dynatrace
By Dynatrace
Dynatrace support center
Subscribe to new releases
Copy to clipboard

Extension content

Content typeNumber of items included
screen injections
2
screen logs cards
2
screen layout
2
generic relationship
4
screen properties
2
screen chart groups
2
dashboards
1
screen actions
2
screen entities lists
5
list screen layout
2
metric metadata
1
generic type
2

Feature sets

Below is a complete list of the feature sets provided in this version. To ensure a good fit for your needs, individual feature sets can be activated and deactivated by your administrator during configuration.

Feature setsNumber of metrics included
Metric nameMetric keyDescriptionUnit
Certificate statuscertificate.monitor.statusThe status of detected certificatesCount

Full version history

To have more information on how to install the downloaded package, please follow the instructions on this page.
ReleaseDate

Full version history

Version 1.8.13

  • Fix an issue decoding certificates with invalid characters

Full version history

v1.8.12

  • Added verbose debug logging
  • Enhanced logging to aid in supporting a wider variety of certificate types
  • Fix to "Extension settings" button on unified analysis screens

Full version history

v1.8.0

  • ✨ Raised limit on dashboard tiles to display more certificates.
  • ✨ Added an option to suppress alerts for certificates that have expired more than x days ago.
  • ✨ Added an option to suppress all alert creation for certificates
  • ✨ Added the certificate serial number as a certificate property
  • 🐛 Improved handling for monitoring configuration names that contain punctuation.
  • 🐛 The extension will now automatically renew events before before the mandatory 6 hour problem timeout is reached. This is to fix an issue where some problems would regularly close and reopen.

Full version history

v1.7.80

  • 🐛 Fixed a bug where only having one certificate in the Windows Certificate Store would cause the extension to throw an error.
  • 🐛 Improved handling of non-UTF-8 characters in Windows Certificate Store certificates.
  • 🐛 Fixed an issue where certificate properties with certain special characters would prevent the certificate data from being ingested
  • 🐛 Fixed an issue where some problems would fail to be created when the extension was deployed remotely
  • ✏️ Fixed a typo in the monitoring configuration screen.

Full version history

v1.7.50

  • ✨ Added option to include or exclude specific processes by name using the new "Filter processes by process name" feature.
  • ✨ Added option to "Scan Windows Certificate Stores" (Windows Hosts only). The extension will scan the Windows Certificate store for certificates.
  • ✨ Expanded the list of available process types available to the "Filter processes by technology type" feature.
  • 🐛 Improved handling of process snapshots
  • 🐛 Fixed crash if Active Port Monitoring (Windows Only) is enabled on a Linux host.
  • 🐛 Removed forced recheck if there was a detected change in the port bindings. Previously, the extension would force a recheck if port bindings change. Port checks will now strictly follow the configured schedule. Changes to certificates will not be detected until the next check interval.

Full version history

v1.6.0

This version is a combined bug fix and feature update. Changes include:

  • ✨ Technology filter can now be set to only include the selected technologies or exclude the selected technologies from monitoring
  • ✨ Certificate list view can now be filtered
  • ✨ Related certificates now injected on Host page
  • 🐛 Additional checks to limit long metric length
  • 🐛 Suppression for duplicate metric lines
  • 💄 Change dates to YYYY-MM-DD format to make them sortable
  • 🏷️ Improved type checking

Full version history

NOTE: This version requires that monitoring configurations be recreated. We apologize for this inconvenience but it is required to take advantage of new features. This extension is evolving rapidly and seeking to cover a wider array of use cases. As such, it may see other breaking changes before the end of the year.

v1.3.2

  • Breaking change on upgrades for <v1.3. This requires the recreation of monitoring configurations.
  • ✨ [WINDOWS ONLY] Add support for Active port discovery on Windows. The extension will attempt to actively identify listening ports on a local host and check certificates on those ports. Note: this option will likely introduce many more port checks. It is recommended to use this in conjunction with port range filters.
  • 🐛 Fixes premature problem closure
  • 🧵 Improved handling of multi-threaded port checking. Eliminates long running threads.
  • 🐛 Fixes scenario where check interval timer was being ignored
  • 🐛 Fixes issue where domain based checks list grows unexpectedly
  • ♻️ Refactor code to improve consistency across port info sources (Remote domains, OneAgent, Active port discovery)

Full version history

  • ✨ Domain checks can now supply a port to be checked via the domain.com:9999 syntax. Previously, all domains were checked on port 443
  • 🐛 Improved parsing of domains when using the domain check feature
  • 🐛 Fix for multiple instance of domains checks being added
  • 💄 Improvements to Unified Analysis screens
  • 🥅 Improved error handling when detecting alt_names
  • 📝 Documentation updates

Full version history

  • 🐛 Add defaults for subject common name (no_common_name)

Full version history

  • Initial release
Dynatrace Hub
Certified PartnersGet data into DynatraceBuild your own app
All (714)Log Management and AnalyticsKubernetesAI/ML ObservabilityInfrastructure ObservabilitySoftware DeliveryApplication ObservabilityApplication SecurityDigital ExperienceBusiness Analytics
Filter
Type
Built and maintained by
Deployment model
SaaS
  • SaaS
  • Managed
Dynatrace Developer
Filter
Type
Built and maintained by
Deployment model
SaaS
  • SaaS
  • Managed

Discover recent additions to Dynatrace

Problems logo

Problems

Analyze abnormal system behavior and performance problems detected by Davis AI.

Logs logo

Logs

Explore all your logs without writing a single query.

Security Investigator logo

Security Investigator

Fast and precise forensics for security and logs on Grail data with DQL queries.

Business Flow logo

Business Flow

Track, analyze, and optimize your critical business processes.

Carbon Impact logo

Carbon Impact

Provides the information about site's carbon footprint

Davis Anomaly Detection logo

Davis Anomaly Detection

Detect anomalies in timeseries using the Davis AI

Analyze your data

Understand your data better with deep insights and clear visualizations.

Notebooks logo

Notebooks

Create powerful, data-driven documents for custom analytics and collaboration.

Dashboards logo

Dashboards

Transform complex data into clear visualizations with custom dashboards.

Automate your processes

Turn data and answers into actions, securely, and at scale.

Workflows logo

Workflows

Automate tasks in your IT landscape, remediate problems, and visualize processes

Jira for Workflows logo

Jira for Workflows

Create, query, comment, transition, and resolve Jira tickets within workflows.

Slack logo

Slack

Automate Slack messaging for security incidents, attacks, remediation, and more.

Secure your cloud application

See vulnerabilities and attacks in your environment.

Security Overview logo

Security Overview

Get a comprehensive overview of the security of your applications.

Third-Party Vulnerabilities logo

Third-Party Vulnerabilities

Detect vulnerabilities in real time, with context and automated risk assessment.

Code-Level Vulnerabilities logo

Code-Level Vulnerabilities

Detect vulnerabilities in your code in real time.

Attacks logo

Attacks

Get a real-time overview of all the attacks on your environment.

Are you looking for something different?

We have hundreds of apps, extensions, and other technologies to customize your environment

Leverage our newest innovations of Dynatrace Saas

Kick-start your app creation

Kick-start your app creation

Whether you’re a beginner or a pro, Dynatrace Developer has the tools and support you need to create incredible apps with minimal effort.
Go to Dynatrace Developer
Upgrading from Dynatrace Managed to SaaS

Upgrading from Dynatrace Managed to SaaS

Drive innovation, speed, and agility in your organization by seamlessly and securely upgrading.
Learn More
Log Management and Analytics

Log Management and Analytics

Innovate faster and more efficiently with unified log management and log analytics for actionable insights and automation.
Learn more