Alibaba SSL Certificates Test

Many Alibaba cloud services rely on SSL certificates. This can include Elastic Compute Service (ECS) instances, websites, API Gateway services, Function Compute functions, anthe ted CDN endpoints.

This implies that if an SSL certificate expires, then users will no longer be able to use the cloud services that depend on that certificate until such time the certificate is renewed. To ensure high service availability, administrators should periodically check the validity of the SSL certificates of cloud services, so they can quickly identify those certificates that have expired or are nearing expiry. This is where the Alibaba SSL Certificates test helps!

At configured intervals, this test checks the validity of SSL certificates and turns administrator attention to expired certificates. Also, by revealing how soon each issued certificate will expire, the test also alerts administrators to the potential expiry of a certificate.

Target of the test : An Alibaba Cloud Account

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the cloud account being monitored

Configurable parameters for the test
Parameters Description

Test period

How often should the test be executed

Host

The host for which the test is to be configured.

Alibaba Access Key and Alibaba Secret Key

This test makes REST API requests to the Alibaba cloud to pull the metrics. For this purpose, the test needs to be configured with an AccessKey pair. An AccessKey pair is typically used to call an operation of an Alibaba Cloud service. It is also used to initiate an API request or use a cloud service SDK to manager cloud resources. An AccessKey pair is characterized by an AccessKey ID and an AccessKey Secret. The AccessKey ID is used to identify a user/cloud account. The AccessKey Secret is used to verify a user/cloud account.

The first step to configuring the eG agent with an AccessKey pair is to create an AccessKey pair for the target cloud acount. To achieve this, follow the steps below:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, click Users under Identities.
  3. On the Users page, click the username of the RAM user for which you want to create an AccessKey pair in the User Logon Name/Display Name column.

  4. On the page that appears, click Create AccessKey in the User AccessKeys section.

    Note:

    You must enter a verification code if you create an AccessKey pair for the first time.

  5. Click Close.

    Note:

    • The AccessKey secret is displayed only when you create an AccessKey pair.

    • If the AccessKey pair is leaked or lost, you must create a new one. You can create a maximum of two AccessKey pairs.

  6. Make note of the AccessKey ID and AccessKey secret, once they are displayed.
  7. Then, configure the Alibaba Access Key parameter of the test with the AccessKey ID, and the Alibaba Secret Key parameter with the AccessKey Secret you made note of.

If you failed to make note of the AccessKey ID and AccessKey Secret at the time of creating the AccessKey pair, then you can obtain the same at a later point in time. Similarly, if an AccessKey pair pre-exists for the target cloud account, then you do not have to create another one. Instead, you can obtain the AccessKey ID and AccessKey Secret of the existing AccessKey pair and configure the eG agent with the same. For this, follow the steps below:

  1. Use an Alibaba Cloud account to log on to the Alibaba Cloud Management console.
  2. Move the pointer over the profile picture in the upper-right corner, and click AccessKey.
  3. In the Security Tips message that appears, click Continue to manage AccessKey. AccessKey ID and AccessKey Secret are displayed. 
  4. Make note of the displayed ID and secret.
  5. Then, configure the Alibaba Access Key parameter of the test with the AccessKey ID, and the Alibaba Secret Key parameter with the AccessKey Secret you made note of.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Has any certificate expired?

Indicates whether/not any certificate has expired.

 

The values that this measure reports and their corresponding numeric values are listed below:

Measure Value Numeric Value
Yes 1
No 0

Note:

This measure reports the Measure Values listed in the table above to indicate whether/not any certificate has expired. In the graph of this measure however, the same is indicated using the numeric equivalents only.

To know which certificates have expired, use the detailed diagnosis of this measure.

Expiring certificate

Indicates the number of certificates that will expire within the LICENSE EXPIRY PERIOD configured for this test.

Number

Use the detailed diagnosis of this measure to know which certificates are nearing expiry.

Total certificates

Indicates the total number of certificates on the Alibaba cloud.

Number

The detailed diagnosis of this measure provides the complete details of all certificates in use.

Issued certificates

Indicates the number of certificates that have been issued.

Number

 

Expired certificates

Indicates the number of certificates that have expired.

Number

If this measure reports a non-zero value, then use the detailed diagnosis of the measure to identify the SSL certificates that have expired.

If the Has any certificate expired? measure reports the value Yes, then use the detailed diagnosis of this measure to know which certificates expired, who issued them, and the certificate fingerprint. Similar details will also be available as part of the detailed diagnostics of the Expired certificates measure.

Figure 1 : Detailed diagnosis of the Has any certificate expired? measure and the Expired certificates measure

To know which SSL certificates are in use currently, use the detailed diagnosis of the Total certificates measure.

Figure 2 : Detailed diagnosis of the Total certificates measure reported by the Alibaba SSL Certificates test