monitoring intermediate ssl certs
We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these using Xymon?
Thanks, Larry Barber
Put an https://server entry in the "comment" section of hosts.cfg. Then you'll get a HTTP test (of port 443) and SSL cert test.
That is if you compiled xymon with the openssl libraries. You can test that with "~xymon/server/bin/xymonnet -version" you should see the SSL library in there.
Paul Root - Engineer III Managed Services Systems - CenturyLink
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Larry Barber Sent: Tuesday, October 25, 2011 9:30 AM To: xymon at xymon.com Subject: [Xymon] monitoring intermediate ssl certs
We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these using Xymon?
Thanks, Larry Barber
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
On 25-10-2011 16:30, Larry Barber wrote:
We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these using Xymon?
Not really possible, because intermediate certs need not be present on the server where your own certificate is - it is sufficient that the client accessing your https-server knows the intermediate (and root) certificate. So there is no place for Xymon to fetch the intermediate certificate.
However, I am surprised that you have a certificate which is issued with an expiry date *after* the intermediate certificate by which it was signed. I assume that is the case - if not, then your own certificate must have expired and Xymon will warn you about that!
So something doesn't sound right.
Regards, Henrik
I missed the intermediate part.
Paul Root - Engineer III Managed Services Systems - CenturyLink
-----Original Message----- From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner Sent: Tuesday, October 25, 2011 9:35 AM To: xymon at xymon.com Subject: Re: [Xymon] monitoring intermediate ssl certs
On 25-10-2011 16:30, Larry Barber wrote:
We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these using Xymon?
Not really possible, because intermediate certs need not be present on the server where your own certificate is - it is sufficient that the client accessing your https-server knows the intermediate (and root) certificate. So there is no place for Xymon to fetch the intermediate certificate.
However, I am surprised that you have a certificate which is issued with an expiry date *after* the intermediate certificate by which it was signed. I assume that is the case - if not, then your own certificate must have expired and Xymon will warn you about that!
So something doesn't sound right.
Regards, Henrik
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
participants (3)
-
henrik@hswn.dk
-
lebarber@gmail.com
-
Paul.Root@CenturyLink.com