SSL Certificates Test

In the Citrix NetScaler VPX/MPX appliance, SSL certificates are used to establish the secure connection between the users and the web applications that are accessed by the users via the appliance. The SSL certificates are important to maintain the confidentiality of data and also organization’s reputation and integrity. The SSL certificates are small data files that digitally bind a cryptographic key to organization’s details. With the SSL certificates, data is encrypted prior to being transmitted via Internet, and the encrypted data can be decrypted only by the application server to which you actually send it. This ensures that the information you transmit will not be stolen. Typically, the SSL certificates are prepared with a specific validity time beyond which the connections will be no longer secure. If the certificates are suddenly expires, the users will no longer be able to access the applications and encounter the applications with the expired SSL certificate. To avoid this, administrators should proactively identify certificates nearing expiry and renew the certificates before expiry. This is where the SSL Certificates test helps administrators!

This test monitors all the SSL certificates that have been configured for the Citrix NetScaler VPX/MPX appliance. For each SSL certificate, this test captures the expiry date of the SSL certificates, computes how long each certificate will remain valid, and proactively alerts administrators if any certificate is nearing expiry. In addition, this test also reports the current status of each certificate and checks whether the expiry monitor for each SSL certificate has been enabled or not.

Target of the test : A NetScaler VPX/MPX

Agent deploying the test : A remote agent

Outputs of the test : One set of results for every SSL certificate on the NetScaler VPX/MPX being monitored.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.

Host

The IP address of the host for which the test is being configured.

NetScaler Username and NetScaler Password

To monitor a NetScaler device, the eG agent should be configured with the credentials of a user with read-only privileges to the target NetScaler device. Specify the credentials of such a user in the NetScaler Username and NetScaler Password text boxes.

Confirm Password

Confirm the NetScaler Password by retyping it here.

SSL

The eG agent collects performance metrics by invoking NITRO (NetScaler Interface Through Restful interfaces and Objects) APIs on the target NetScaler device. Typically, the NITRO APIs can be invoked through the HTTP or the HTTPS mode. By default, the eG agent invokes the NITRO APIs using the HTTPS mode. This is why, the SSL flag is set to Yes by default. If the target NetScaler device is not SSL-enabled, then the NITRO APIs can be accessed through the HTTP mode only. In this case, set the SSL flag to No.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements of the test
Measurement Description Measurement Unit Interpretation

Days to expire

Indicates the number of days from the current day for which this SSL certificate will be valid.

Number

A high value is preferred for this measure. A low value of this measure indicates that the SSL certificate is going to be expired soon and you should update the certificate before it expires.

The detailed diagnosis of this measure reveals the key file name, the format of the certificate file and the notification period beyond which the alert will be generated.

Status

Indicates the current status of this SSL certificate.

 

The values that this measure can report and their numeric equivalents are listed in the table below:

Measure Value Numeric Value
Valid 0
Expired 1

Note:

By default, this measure reports the above-mentioned Measure Values to indicate the state of the SSL certificate. However, in the graph of this measure the SSL certificate state will be represented using the corresponding numeric equivalents only - i.e., 0 or 1.

Expiry monitor

Indicates whether/not the Expiry Monitor has been enabled for this SSL certificate.

 

The values that this measure can report and their numeric equivalents are listed in the table below:

Measure Value Numeric Value
Enabled 0
Disabled 1

Note:

By default, this measure reports the above-mentioned Measure Values to indicate whether the Expiry Monitor has been enabled for each SSL certificate. However, in the graph of this measure the SSL certificate state will be represented using the corresponding numeric equivalents only - i.e., 0 or 1.

The detailed diagnosis of the Days to expire measure reveals the file name of the SSL certificate, the key file name, the format of the certificate file and also displays the notification period beyond which the alert will be generated.

Figure 1 : The detailed diagnosis of the Days to expire measure