monitoring intermediate ssl certs
list Larry Barber
We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these using Xymon? Thanks, Larry Barber
list Paul Root
Put an https://server entry in the "comment" section of hosts.cfg. Then you'll get a HTTP test (of port 443) and SSL cert test. That is if you compiled xymon with the openssl libraries. You can test that with "~xymon/server/bin/xymonnet -version" you should see the SSL library in there. Paul Root - Engineer III Managed Services Systems - CenturyLink
▸
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Larry Barber
Sent: Tuesday, October 25, 2011 9:30 AM
To: xymon at xymon.com
Subject: [Xymon] monitoring intermediate ssl certs
We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these using Xymon?
Thanks,
Larry Barber
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
list Henrik Størner
▸
On 25-10-2011 16:30, Larry Barber wrote:
We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these using Xymon?
Not really possible, because intermediate certs need not be present on the server where your own certificate is - it is sufficient that the client accessing your https-server knows the intermediate (and root) certificate. So there is no place for Xymon to fetch the intermediate certificate. However, I am surprised that you have a certificate which is issued with an expiry date *after* the intermediate certificate by which it was signed. I assume that is the case - if not, then your own certificate must have expired and Xymon will warn you about that! So something doesn't sound right. Regards, Henrik
list Paul Root
I missed the intermediate part.
▸
Paul Root - Engineer III
Managed Services Systems - CenturyLink
-----Original Message----- From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On
Behalf Of Henrik Størner
Sent: Tuesday, October 25, 2011 9:35 AM
To: xymon at xymon.com
Subject: Re: [Xymon] monitoring intermediate ssl certs
▸
On 25-10-2011 16:30, Larry Barber wrote:We recently had some intermediate ssl certificates expire without warning. Have any of you figured out a way to monitor these usingXymon? Not really possible, because intermediate certs need not be present on the server where your own certificate is - it is sufficient that the client accessing your https-server knows the intermediate (and root) certificate. So there is no place for Xymon to fetch the intermediate certificate. However, I am surprised that you have a certificate which is issued with an expiry date *after* the intermediate certificate by which it was signed. I assume that is the case - if not, then your own certificate must have expired and Xymon will warn you about that! So something doesn't sound right. Regards, Henrik
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.