SSL Certificate Validity Test
This test reports how long (in days) the SSL certificates that have been configured for monitoring will remain valid and the current status of the SSL certificates.
This test is disabled by default. To enable the test, go to the enable / disable tests page using the menu sequence : Agents -> Tests -> Enable/Disable, pick the desired Component type, set Performance as the Test type, choose the test from the disabled tests list, and click on the < button to move the test to the ENABLED TESTS list. Finally, click the Update button.
Target of the test : An Apache web server
Agent deploying this test : An internal agent
Outputs of the test : One set of outputs for every Target and/or every Targetfile and/or the unique key assigned to each certificate in the specified Keystore File.
| Parameters | Description |
|---|---|
|
Test period |
This indicates how often should the test be executed. |
|
Host |
The host for which the test is to be configured. |
|
Targets |
If you want to monitor specific SSL-enabled web sites, then, provide a comma-separated list of {HostIP/Name}:{Port) pairs, which represent the web sites to be monitored. For example, 192.168.10.7:443,192.168.10.8:443. The test connects to each IP/port pair and checks for the validity of the certificate associated with that target. One set of metrics is reported for each target. The descriptor represents the common name (CN) value of the SSL certificate. By default, this parameter is set to the <IP_of_the_monitored_web/application_server>:<Port_on_which_the_server_listens>. If you do not want to monitor the validity of certificates based on configured targets, set this parameter to none. To enable administrators to easily configure the Targets parameter, eG Enterprise provides a special interface. To access this interface, click on the encircled ‘+’ button alongside the TARGETS text box in the test configuration page. To know how to use this special interface, refer to SSL Certificate Validity Test |
|
Targetfiles |
To monitor specific certificate files, provide a comma-separated list of file paths for the SSL certificates that are to be monitored in the Targetfiles text box. For example, C:\server.crt, D:\admin.crt. The test reads the SSL Certificates for the web sites that are to be monitored from this location and checks for the validity. If you do not want to check the validity of specific certificate files, set this parameter to none. |
|
Keystore Type |
Specify what type of keystore contains the certificates that you want to monitor. By default, this parameter is set to the value JKS, which implies that the Java Keystore is by default used for storing the certificates. If the certificates in your environment are contained within a different type of keystore, then specify the exact type here - eg., PKCS12. |
|
Keystore File |
A keystore is a database (usually a file) that can contain trusted certificates and combinations of private keys with their corresponding certificates. If you are looking to monitor the certificates contained within a keystore file, then provide the full path to this file in the Keystore File text box. For example, the location of this file may be: C:\egurkha\manager\tomcat\webapps\eGmanager.bin. In this case, the test automatically accesses each of the certificates that the specified keystore contains, and checks its validity. If you do not want to monitor the certificates in a keystore, set this parameter to none. |
|
Keystore Password |
If a Keystore File is provided, then, in this text box, provide the password that is used to obtain the associated certificate details from the Keystore File. If none is specified against Keystore File, then, enter none here as well. |
|
Confirm Password |
Confirm the Keystore Password by retyping it here. |
|
Timeout |
Provide the duration (in seconds) beyond which the test times out. By default, it is 60 seconds. |
|
DD Frequency |
Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency. |
|
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
| Measurement | Description | Measurement Unit | Interpretation | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SSL certificate validity |
Indicates the number of days from the current day for which this SSL certificate will be valid. |
Days |
Use the detailed diagnosis of this measure to find out the details of the SSL certificate such as Order, Type, Version Serial No, Active Date, Expiry Date, Common Name, Organization, Organization Unit, Locality, State, Country, etc. |
||||||||||||
|
Certificate status |
Indicates the current status of this SSL certificate. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above. In the graph of this measure however, the state of the SSL certificate is represented using the corresponding numeric equivalents only. |
||||||||||||
|
Thumbprint valid |
Indicates whether/not the thumbprint of this SSL certificate is valid. |
|
If the thumbprint is invalid, then the value of this measure will be No. If thumbprint is valid, then the value of this measure will be Yes. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate valid? |
Indicates whether or not this certificate is valid. |
|
If the certificate is invalid, then the value of this measure will be No. If certificate is valid, then the value of this measure will be Yes. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate trusted? |
Indicates whether or not this certificate is from a trusted source. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is from a trusted source. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate expired? |
Indicates whether or not this certificate is expired. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is expired. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate revoked? |
Indicates whether or not this certificate is revoked. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is revoked. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate self signed? |
Indicates whether or not this certificate is self signed. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is self signed. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is private certificate configured? |
Indicates whether or not this certificate configured is a private certificate. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is private certificate. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate used before active date? |
Indicates whether or not this certificate is used before active date. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is used before active date. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate having untrusted root? |
Indicates whether or not this certificate have untrusted root. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate have untrusted root. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is Common Name(CN) available for the certificate? |
Indicates whether or not common name available for this certificate. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether common name available for the certificate. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is Subject available for the certificate? |
Indicates whether or not subject available for this certificate. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether common name available for the certificate. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate having mismatched domain? |
Indicates whether or not this certificate is having mismatched domain. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is having mismatched domain. In the graph of this measure however, the the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is having valid certificate chain? |
Indicates whether or not a valid certificate chain is available for this certificate. |
|
The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whetherthe certificate is having valid certificate chain. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Public key size |
Indicates the size of public key on this certificate. |
Bits |
The maximum size of public key in an SSL certificate is 4096 bits. The default key size can be 2048 bits or 4096 bits. |
||||||||||||
|
Available Subject Alternative Names(SAN) |
Indicates the number of SANs available for this certificate. |
Number |
The Subject Alternative Name (SAN) is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. An SSL certificate with more than one name is associated using the SAN extension. |
