Hi,
Den 10-11-2015 kl. 15:27 skrev Mark Felder:
[...] We're simply asking Xymon to be able to differentiate between a certificate with a valid chain of trust and one that is broken or self-signed.
You are correct that Xymon only checks the expiry-date of the certificate. This is - more or less - by design, since that is the most common problem with certificates: Your site works fine on Monday, and on Tuesday everything is down because the certificate has expired.
If your certificate is broken in the sense that the Common Name (ie the website name for which the certificate was issued) does not match your site, then *all* users will see that - so you figure it out pretty fast, usually before going live.
And name checking is not as simple as it seems. Lots of devices have self-signed certificates with meaningless names - tons of networking gear, application server admin consoles, intermediate proxy devices and so on. All of them can use self-signed certificates, or certificates issued by your own (company) CA. Xymon cannot validate them, because technically they are not trusted - you just want the TLS encryption to work, so you must live with the certificate.
Regards, Henrik