SSL OCSP monitoring

3 messages in this thread

list Deepak Deore · Mon, 14 Apr 2014 19:24:57 -0700 ·

Hi,

Can we monitor SSL certificate's revoke status ?

Thanks,
Deepak

list Phil Crooker · Tue, 15 Apr 2014 05:37:39 +0000 ·

I think the HTTP tests (see the hosts.cfg man page) cover this, I know it alarms when a certificate is out of date.

From: Xymon on behalf of deepak deore
Sent: Tuesday, 15 April 2014 11:54 AM
To: xymon at xymon.com
Subject: [Xymon] SSL OCSP monitoring

Hi,

Can we monitor SSL certificate's revoke status ?

Thanks,
Deepak

list Henrik Størner · Tue, 15 Apr 2014 10:30:04 +0200 ·

 

Den 2014-04-15 4:24, deepak deore skrev:

Can we monitor SSL
certificate's revoke status ?

There's no built-in test in Xymon for
this. 

Doing a bit of Google it seems that OpenSSL does have the
necessary tools / code to perform an OCSP verification, but it is far
from easy. (See
http://backreference.org/2010/05/09/ocsp-verification-with-openssl/ for
an explanation of the steps involved). 

It does make sense to include
this check in the "sslcert" status, but for now you will have to
implement a custom check script to perform it. 

Regards,
Henrik

SSL OCSP monitoring 🔗 link

SSL OCSP monitoring