Forum Discussion

Gary_Dewrell's avatar
5 years ago

Exclude self-signed certificates in SSL_Certificate

I need a way to monitor days until expiration for certificates, but I want to exclude self signed. How would I go about doing that?

 

  • Yea in my case it is over 4000 so automation is a must. :)/emoticons/smile@2x.png 2x" title=":)" width="20" />

  • Anonymous's avatar
    Anonymous

    Ok, that makes it a bit more difficult because of how discovery runs in that DS. Discovery simply checks if certain ports are open. It isn't until collection that the actual cert is downloaded and inspected. Discovery itself doesn't pull any actual properties of the certificate itself (like whether or not it's self signed). It's a pity really and I think the discovery on this DS is lacking actual discovery.

    In order to use an Active Discovery filter, the discovery script would have to discover whether or not each cert is self-signed and store that as a property. So what you'll have to do is add logic from the collection script into the discovery script so that the self-signed status gets stored as a property on the instance and can then be used to filter out those certs from discovery.

    The logic in the collection script is a bit complex (some developer really flexed his OOP skills). Take a look at it and see what you can do. It's beyond my skills to extract the required logic with the limited time I have (would probably take me a few days to iron it out). If you really want to automate this (a worthy goal IMO), I suggest reaching out to your CSM to talk about professional services or see if someone on the community may have already cracked this nut.

     

    All that said, if this is a small thing, then it would probably work to just create instance groups and sort them out manually. If it's more than a few server's certs, then automation is the only way to go. There may be a simpler way that's not occurring to me at the moment.

  • 1 minute ago, Stuart Weenig said:

    There are several ways of doing this, the easiest being an Active Discovery filter. However, in order to setup an Active Discovery filter, you need to have a DataSource that is already discovering the certificates you want to monitor. Are you looking for a DataSource or do you already have one that works that needs to exclude the self-signed certs? If so, what's the name of the DS or its locator code (found at the top of the DataSource settings page)?

    The datasource I am using is SSL_Certificates from the LM repository. If I could just exclude selfsigned on that one that would be great!

  • Anonymous's avatar
    Anonymous

    There are several ways of doing this, the easiest being an Active Discovery filter. However, in order to setup an Active Discovery filter, you need to have a DataSource that is already discovering the certificates you want to monitor. Are you looking for a DataSource or do you already have one that works that needs to exclude the self-signed certs? If so, what's the name of the DS or its locator code (found at the top of the DataSource settings page)?