Forum Discussion

Jason_Fant's avatar
Jason_Fant
5 years ago

SSL Cert Chain Expiration monitoring

Good Morning,    We have a customer that was hoping we'd be monitoring the Root and Intermediate SSL Certs on some linux servers and Cisco CUCM Servers.     However, the default SSL Cert LogicModule only moitors the domain/server level cert and not the entire SSL Chain.

 

I found a debug command from another forum post and I can see that the script can properly see the entire SSL Chain on the device.    I just need to now script that out so that each cert found is an 'instance' and then there's a datapoint monitoring the expiration date.    Has anyone done this before and has a datasource/Loigcmodule that they can share?      I'm not familiar with the jar script used in the example below or how to edit that to do more than what the current SSLCerts- datsource using.   But I know that it can at least show me the information/data I need, I just need to manipulate/parse it. 

  

$ !java -cp ../lib/certexpire.jar CertificateExpire "C:\Program Files (x86)\LogicMonitor\Agent" 172.20.10.74 172.20.10.74 443 true


Enable debug SSL cert
Get the support protocol, protocols=TLSv1.3,TLSv1.2,TLSv1.1,TLSv1,SSLv3,SSLv2Hello,
Get the enabled protocol, protocols=TLSv1.2,TLSv1.1,TLSv1,
Try to send request to server.
Request send ...
TrustManager: checkServerTrusted got 4 certs. Auth type: ECDHE_RSA
TrustManager: getAcceptedIssuers called.
Request flushed ...
Get certification from host - 172.20.10.74:443
	Certification: 1
		CN       : CN=voip-cxwe-ext-vip, OU=OMITTED - IT, O=OMITTED, STREET=OMITTED, L=New York, ST=NY, OID.2.5.4.17=10024-5100, C=US
		Type     : X.509
		Issue at : Mon Aug 20 20:00:00 EDT 2018
		Expire at: Thu Aug 20 19:59:59 EDT 2020
	Certification: 2
		CN       : CN=InCommon RSA Server CA, OU=InCommon, O=Internet2, L=Ann Arbor, ST=MI, C=US
		Type     : X.509
		Issue at : Sun Oct 05 20:00:00 EDT 2014
		Expire at: Sat Oct 05 19:59:59 EDT 2024
	Certification: 3
		CN       : CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
		Type     : X.509
		Issue at : Mon Mar 11 20:00:00 EDT 2019
		Expire at: Sun Dec 31 18:59:59 EST 2028
	Certification: 4
		CN       : CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
		Type     : X.509
		Issue at : Wed Dec 31 19:00:00 EST 2003
		Expire at: Sun Dec 31 18:59:59 EST 2028
Got issue date - Wed Dec 31 08:19:49 EST 1969, expiration date - Tue Jun 02 08:19:49 EDT 2020
79