Extend the platform,
empower your team.
Discover, view and log SSL certificates. Raise configurable expiration alerts.
ExtensionThe SSL Certificate Monitor extension can be deployed on an ActiveGate or on any host with the OneAgent installed.
Both deployments types have configurable alerting intervals, allowing the raising of low severity problems for certificates in a user defined renewal window as well as a high severity alerts for imminently approaching expiration dates.
When deployed on an ActiveGate, the extension can be configured to perform certificate checks by specifying specific domains to check.
When deployed on an OneAgent, the extension will attempt certificate auto-discovery using data provided by the OneAgent.
The purpose of remote monitoring deployment is to enable certificate monitoring by domain. This type of monitoring requires that the ActiveGate running the extension has access to the domains that are provided. Adjustments to networking and firewall rules may be required. When this deployment model is chosen, certificate discovery is disabled and a list of domains must be provided to enable certificate monitoring.
Choose, "Monitor Remotely without OneAgent" to choose this installation type and choose the ActiveGate group that you would like the extension to run on.
Local monitoring is required for certificate auto-discovery using the OneAgent. The extension will install on selected hosts. Currently, hosts can be selected by name, host group, management zone or tag (using the Environment configuration).
Once the deployment option is selected, proceed to configure the extension.
Expiration Imminent: The highest level of alerting, indicating that certificate expiration is imminent. Crossing this threshold triggers a problem with the AVAILABILITY
severity. Expired certificates will also alert at this alert level.
Expiration Soon: The initial alerting level. Crossing this threshold triggers a problem with the ERROR
severity. The certificate not_valid_after
date requires attention but expiration is not yet imminent.
Interval between certificate discovery and metadata checks (hours): The frequency with which the extension will update discovered certificates and process the available data. During initial setup and testing, a smaller value may be appropriate. Once the extension is fully configured, an interval of 8 hours is recommended.
In addition to determining how often certificate discovery and metadata updates take place, the check interval determines how problems are resolved. All certificate problems will remain open until a certificate check can confirm that the problem has been resolved. An interval of 24 hours will cause a certificate problem to remain open a minimum of 24 hours. The problem will not resolve until the next check can determine if the problem is resolved.
Unified Analysis Screens and Certificate Status Metric: Unified Analysis Screens contain metadata on all discovered certificates. This features requires the collection of data using the Certificate Status metric (certificate.monitor.status
). For the best experience, it is recommended to enable metric collection. When disabled, extension functionality is limited to alert creation and log events. This option consumes DDUs.
Annual DDU consumption is calculated using the following formula: <# of discovered certificates> x <24 / certificate check interval (hours)> x 365 x 0.001
. e.g., A single certificate checked every 8 hours will consume ~3 (1 x (24/3) x 365 x 0.001)
DDUs per year
Enabling "Advanced Alerting Configuration" provides two additional options to customize alert creation.
Disabling alert creation stops all alerts from being created by the extension. This is useful for customers who want to keep an inventory of certificates but not alert on them.
By default, alerts will be raised for all expired certificates. Many environments contain long-expired certificates that have not been removed. Enable this feature to suppress problems for certificates that expired more than x
days ago.
Optional feature to define inclusive and exclusive port ranges during certificate discovery.
Port range to include: A range of ports can be expressed with a hyphen. Individual or groups of ports can be separated with a semicolon. i.e. 443;1024-2000;50000-51000
Port range to exclude: An optional range of ports to exclude. This setting is applied after the include rule. For example, if ports 400-410
are included and port 405
is excluded, the resulting set of ports will be 400-404
and 406-410
.
Optional setting to limit certificate checks to specific technology types. This filter can be set to include only the technologies listed or to exclude the technologies listed from monitoring.
Add Technology: Add a technology to the filter defined above. The technology types available are the "Main Technology" types that are present in process views. Some processes will show multiple entries under "Main technology". Technology type filter uses OR
logic. A process that lists "IIS, IIS App Pool and .NET" as main technologies will be monitored if any combination of the technologies is added to this filter.
Optional setting to configure additional SNI (Server Name Indication) domains
Add Domain: An advanced setting to provide a list of domains to use in with Server Name Indication. SNI is an extension to the TLS protocol which is used in HTTPS. Use this setting to specify the domain name of a website during the initial TLS Handshake instead of when the HTTPS connection opens after the handshake.
Log certificate status interval: The extension will log event metadata when a certificate is in a warning state. In addition, the extension will also periodically log certificate metadata of certificates in a healthy state. The purpose of this setting is to make it possible to query for certificate metadata regardless of the health state of the certificate.
Optional list of domains to check directly. The extension will attempt to open a connection to the domains provided. This feature requires that the extension host is able to establish a connection to the domain. Domain monitoring is possible in local installations but it is recommended to deploy this extension remotely (on an ActiveGate) for domain based monitoring.
Add domain: Optionally provide a list of domains that they extension will check directly.
Check this box to enable debug level logging. Logs are available (by default) on Linux at: /var/lib/dynatrace/remotepluginmodule/log/extensions/datasources
and on Windows at: C:\ProgramData\dynatrace\remotepluginmodule\log\extensions\datasources
Auto-discovery relies on OneAgent monitored processes having "listening port" metadata. In cases where port information is not available, auto-discovery will fail. Future versions will expand support to cover a wider variety to scenarios.
Support for certificate auto-discovery on IIS web servers is currently experimental.
Most auto-discovery failures are due to lack of "Port" metadata on Dynatrace monitored processes. If auto-discovery fails, the "Monitor by domain" feature will cover some scenarios. This feature allows the monitoring of certificates by domain name.
Future versions will expand Auto-discovery to cover a wider range of scenarios.
Please open a support ticket with Dynatrace Support to document your use case and help improve future versions.
Below is a complete list of the feature sets provided in this version. To ensure a good fit for your needs, individual feature sets can be activated and deactivated by your administrator during configuration.
Metric name | Metric key | Description | Unit |
---|---|---|---|
Certificate status | certificate.monitor.status | The status of detected certificates | Count |
This version is a combined bug fix and feature update. Changes include:
YYYY-MM-DD
format to make them sortableNOTE: This version requires that monitoring configurations be recreated. We apologize for this inconvenience but it is required to take advantage of new features. This extension is evolving rapidly and seeking to cover a wider array of use cases. As such, it may see other breaking changes before the end of the year.
domain.com:9999
syntax. Previously, all domains were checked on port 443no_common_name
)