SSL Certificate Details Test
An SSL certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. Companies and organizations need to add SSL certificates to their websites to secure online transactions and keep customer information private and secure. All websites and web applications use SSL certificates to make sure that only authorized person or process connects. Even Network devices use SSL certificates to provide secure web access to management interface of a device. Any communication from management console to device use SSL and SSL certificates.
SSL certificate come with a lifespan after which they expire. The expiry is important by design as the information needs to be periodically re-validated to check it is still accurate, so before the certificates expire they need to be replaced with newer version issued by same source. If the certificates are not refreshed/replaced in the timely manner the access and connectivity to respective website or network device will be blocked and it's operation will be hindered. Given the importance of SSL certificates for not just providing connectivity to websites, but also to network devices, it is absolutely importance to monitor the certificates, and any potential issues to be reported so that administrators can take preventive actions before the certificates are expired.
This test monitors the SSL certificates and reports key metric like the status, validity and expiry date of the certificate, it also reports metrics related to configuration of certificate which play vital role in investigating certificate related issues when they occur. Insights from these metrics administrators can get a clear understanding of any current or potential issue with certificate.
Target of the test : A Cisco Router
Agent deploying this test : An external agent
Outputs of the test : One set of results for Cisco router being monitored.
| Parameters | Description |
|---|---|
|
Test period |
This indicates how often should the test be executed. |
|
Host |
The host for which the test is to be configured. |
|
Port |
Specify the port at which the specified host listens to. |
|
Timeout |
Specify the maximum duration (in seconds) for which the test will wait for a response. The default Timeout period is 60 seconds. |
|
Targets |
If you want to monitor specific SSL-enabled web sites or devices, then, provide a comma-separated list of {HostIP/Name}:{Port) pairs, which represent the web sites or devices to be monitored. For example, 192.168.10.7:443,192.168.10.8:443. The test connects to each IP/port pair and checks for the validity of the certificate associated with that target. One set of metrics is reported for each target. The descriptor represents the common name (CN) value of the SSL certificate. By default, this parameter is set to the <IP_of_the_monitored_web/application_server>:<Port_on_which_the_server_listens>. If you do not want to monitor the validity of certificates based on configured targets, set this parameter to none. To enable administrators to easily configure the Targets parameter, eG Enterprise provides a special interface. To access this interface, click on the encircled ‘+’ button alongside the TARGETS text box in the test configuration page. To know how to use this special interface, refer to SSL Certificate Details Test |
|
ProxyHost |
The host on which a web proxy server is running (in case a proxy server is to be used) |
|
ProxyPort |
The port number on which the web proxy server is listening |
|
Proxyusername |
The user name of the proxy server |
|
Proxypassword |
The password of the proxy server |
|
Confirm password |
Confirm the password by retyping it here. |
|
All certs |
By default the flag is set to Yes, indicating that all certificates will be monitored including server certificates, root certificates and intermediate certificates. If you only want to monitor server certificates, select the No option. |
|
Report decimal |
By default, this flag is set to Yes indicating that this test will report the validity of the certificate in the number of days format and the validity of the certificate for the hours in a day will be represented as a decimal value. If you wish this test to report only the number of days for which the certificate is valid and exclude the number of hours remaining, then, you can set this flag to No. |
|
Verify Certificate |
In large organizations where thousands of certificates are operational and administrators need to track the validity of each one of them, the verification of certificates could be an expensive operation. Also, complete verification is not required each time the test runs and can be performed on weekly/monthly basis. This test provides administrators the capability to define if they want to run a complete verification on certificate or they want a quick validity status report. By default this flag is set to No indicating the metrics like certificate status, validity, trust status, revocation status etc. are not reported. If you want the metrics like certificate status, validity, trust status, revocation status, configuration status etc. to be reported, set this flag to Yes. |
|
Max expiry days |
In large environments, administrators may use multiple SSL certificates with different expiry periods. Administrators of such environments, sometimes, may wish to monitor the SSL certificates that expire within a specific time period. For this purpose, administrators can specify the maximum time period in days against this parameter. This indicates that this test will report expiry details of the SSL certificates that expire within the value specified here. |
|
DD Frequency |
Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency. |
|
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
| |||||||||||||||
|
Measurement |
Description |
Measurement Unit |
Interpretation |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SSL certificate validity |
Indicates the number of days from the current day for which this SSL certificate will be valid. |
Days |
Ensuring that SSL certificates are valid is crucial for maintaining secure communication over the internet. When a certificate expires, it can lead to security warnings in web browsers and other client applications, potentially causing trust issues with users and disrupting access to the website or service. To maintain security, administrators need to regularly monitor the expiration dates of SSL certificates and renew them before they expire. Many certificate authorities and certificate management tools offer reminders and automation to help with this process. Use the detailed diagnosis of this measure to find out the details of the SSL certificate such as Order, Type, Version Serial No, Active Date, Expiry Date, Common Name, Organization, Organization Unit, Locality, State, Country, etc. |
||||||||||||
|
Certificate status |
Indicates the current status of this SSL certificate. |
|
This measure is reported only when the Verify Certificate parameter is set to Yes. Certificate status is crucial for ensuring the security of communication over the internet. Browsers and other client applications typically check the status of SSL certificates when establishing secure connections to websites. If a certificate's status is invalid, revoked, or expired, it can result in security warnings or errors, indicating potential risks to users. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above. In the graph of this measure however, the state of the SSL certificate is represented using the corresponding numeric equivalents only. |
||||||||||||
|
Thumbprint valid |
Indicates whether/not the thumbprint of this SSL certificate is valid. |
|
Thumbprint validity is crucial to the authenticity of the certificate, it means that the thumbprint matches the expected value, indicating that the certificate has not been tampered with and that its contents are intact. This validation is crucial for ensuring the authenticity and integrity of the SSL certificate. If the thumbprint is invalid, then the value of this measure will be No. If thumbprint is valid, then the value of this measure will be Yes. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate valid? |
Indicates whether or not this certificate is valid. |
|
This measure is reported only when the Verify Certificate parameter is set to Yes. An SSL certificate is issued by a Certificate Authority (CA) for a specific duration, typically ranging from one to three years. During this period, the certificate is considered valid for securing communication between a client (such as a web browser) and a server (such as a website). Ensuring that SSL certificates are valid is essential for maintaining secure communication over the Internet. Expired certificates can lead to security warnings in web browsers and other client applications, potentially causing trust issues with users and disrupting access to the website or service. Therefore, administrators must monitor SSL certificate expiration dates and renew them before they expire to ensure uninterrupted security. If the certificate is invalid, then the value of this measure will be No. If certificate is valid, then the value of this measure will be Yes. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate trusted? |
Indicates whether or not this certificate is from a trusted source. |
|
This measure is reported only when the Verify Certificate parameter is set to Yes. If the client's trust store includes the root certificate of the CA that issued the SSL certificate (or an intermediate certificate leading up to the root CA), and if the SSL certificate presented by the server is properly signed and not expired, then the certificate is considered trusted. The client will proceed with establishing a secure connection without displaying any warning messages to the user. However, if the SSL certificate presented by the server is self-signed or issued by a CA that is not recognized or trusted by the client, the certificate is considered untrusted. In such cases, the client may display a warning message indicating that the certificate is not trusted, and the user may need to manually verify the certificate's authenticity or choose to proceed at their own risk. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is from a trusted source. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate expired? |
Indicates whether or not this certificate is expired. |
|
SSL certificates have a defined validity period, typically ranging from one to three years, during which they are considered valid. Beyond this period, the certificate is no longer trusted by clients, and attempts to establish secure connections using the expired certificate will fail. To prevent these issues, administrators need to monitor the expiration dates of SSL certificates and renew them before they expire. This test monitors the certificate expiry date and allows administrators to take action before the certificate expires. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is expired. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate revoked? |
Indicates whether or not this certificate is revoked. |
|
This measure is reported only when the Verify Certificate parameter is set to Yes. Revocation prevents the use of compromised or unauthorized certificates, helping to protect against potential security threats. When an SSL certificate is revoked, it means that the certificate has been invalidated by the issuing CA due to security concerns, and clients should not trust or use the certificate for secure communication. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is revoked. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate self signed? |
Indicates whether or not this certificate is self signed. |
|
When an SSL (Secure Sockets Layer) certificate is described as "self-signed," it means that the entity who created the certificate has also signed it. This situation has implications for trust. While a self-signed certificate can provide encryption between a client and server, it lacks the external validation provided by a Certificate Authority. Therefore, web browsers and other applications typically display a warning when encountering a self-signed certificate, indicating that the certificate is not trusted. For production environments or public-facing websites, it's recommended to use certificates signed by a recognized CA to ensure trustworthiness and avoid warning messages for users. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is self signed. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is private certificate configured? |
Indicates whether or not this certificate configured is a private certificate. |
|
It indicates that the private key required for decrypting data encrypted with the corresponding public key is properly set up or available. Without the private key, it would be impossible to decrypt the data encrypted with the public key, thus rendering the SSL certificate ineffective for secure communication. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is private certificate. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate used before active date? |
Indicates whether or not this certificate is used before active date. |
|
The validity period of the certificate typically includes a start date (also known as the activation date) and an end date (expiration date). Attempting to use a certificate before its active date can lead to various issues, including security risks as the certificate may not yet be authorized for use, Clients (such as web browsers) may reject connections using certificates that are not yet active, displaying warning messages to users and potentially disrupting access to the website or service, and violation of organization policies. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is used before active date. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate having untrusted root? |
Indicates whether or not this certificate have untrusted root. |
|
This measure is reported only when the Verify Certificate parameter is set to Yes. If an SSL certificate's chain of trust does not lead back to a trusted root Certificate Authority, it's considered to have an untrusted root. This can happen for several reasons including (a) the server may not be configured to provide the necessary intermediate certificates during the SSL handshake. Without the complete chain, the client cannot verify the certificate's authenticity, (b) If the SSL certificate is self-signed, (c) Incorrect or Expired Intermediate Certificates. In these cases, the client typically shows a warning to the user. Resolving the issue usually involves ensuring that the server presents the complete chain of trust during the SSL handshake. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate have untrusted root. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is Common Name(CN) available for the certificate? |
Indicates whether or not common name available for this certificate. |
|
The CN refers to the primary domain name for which the certificate is issued. It's essentially the name that the certificate is meant to secure. For example, if you have a website with the domain name "example.com," the Common Name field in the SSL certificate for that website would typically be "example.com." Having a valid Common Name is crucial for SSL certificates because it allows web browsers and other client applications to verify that they are communicating securely with the intended domain. When a client connects to a server, it checks the Common Name in the certificate presented by the server against the domain name it is trying to connect to. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether common name available for the certificate. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is Subject available for the certificate? |
Indicates whether or not subject available for this certificate. |
|
It typically includes information such as the organization's name (if applicable) and the domain name associated with the certificate. During the SSL handshake process, the client checks the subject information in the certificate presented by the server to ensure that it matches the domain name the client is trying to connect to. If there's a mismatch or if the subject information is missing, the client may display a warning indicating a potential security issue. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether common name available for the certificate. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is certificate having mismatched domain? |
Indicates whether or not this certificate is having mismatched domain. |
|
This measure is reported only when the Verify Certificate parameter is set to Yes. If a certificate's subject lists for example "domain.com" as the domain, but the client is attempting to connect to"subdomain.domain.com" or "anotherdomain.com," this would be considered a domain mismatch. When a domain mismatch occurs, web browsers and other client applications typically display a warning message to the user indicating that the connection may not be secure. Resolving domain mismatches usually involves obtaining a new SSL certificate with the correct domain information or adjusting server configurations to match the certificate's subject. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is having mismatched domain. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Is having valid certificate chain? |
Indicates whether or not a valid certificate chain is available for this certificate. |
|
This measure is reported only when the Verify Certificate parameter is set to Yes. SSL certificates are often issued by intermediate Certificate Authorities (CAs), which themselves may be signed by a higher-level CA, forming a chain of trust that eventually leads back to a trusted root CA. In these cases, the client typically shows a warning to the user. Resolving the issue usually involves ensuring that the server presents the complete chain of trust during the SSL handshake. The numeric values that correspond to these measure values are discussed in the table below:
Note: By default, this measure reports the Measure Values listed in the table above to indicate whether the certificate is having valid certificate chain. In the graph of this measure however, the values are represented using the corresponding numeric equivalents only. |
||||||||||||
|
Public key size |
Indicates the size of public key on this certificate. |
Bits |
The public key size in SSL certificates refers to the length of the cryptographic key used for secure communication. 2048-bit RSA keys are currently secure and widely accepted. For long-term security, consider 3072-bit keys. However, upgrading to 4096 bits should be done cautiously due to performance considerations. The maximum size of public key in an SSL certificate is 4096 bits. The default key size can be 2048 bits or 4096 bits. |
||||||||||||
|
Available Subject Alternative Names(SAN) |
Indicates the number of SANs available for this certificate. |
Number |
This refers to additional domain names or hostnames that can be included in an SSL certificate alongside the primary domain name (CN or Common Name). SANs are particularly useful in scenarios like multi-domain hosting, wildcard SSL certificates, or Unified Communications (UC) certificates where a single certificate can cover multiple domain names or subdomains. The Subject Alternative Name (SAN) is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. An SSL certificate with more than one name is associated using the SAN extension. |
||||||||||||
|
SSL connection availability |
Indicates the availability of SSL connection to this SSL certificate. |
Percent |
If the measure value is 0, then it represents non-availability of SSL connection for this SSL certificate. If the measure value is 100, then it represents availability of SSL connection for this SSL certificate. |