SSL Certificate Expiry Test

SSL certificates are important to maintain the confidentiality of data and also organization’s reputation and integrity. The SSL certificates are small data files that digitally bind a cryptographic key to organization’s details. With the SSL certificates, data is encrypted prior to transmission via Internet, and the encrypted data can be decrypted only by the application server to which you actually send it. This ensures that the information you transmit will be safe and theft-proof. Typically, the SSL certificates come with specific validity time beyond which the connections secured by the certificates will be no longer secure. If the certificates suddenly expire, the users will no longer be able to access the applications and encounter the applications with the expired SSL certificate. To avoid this, administrators should proactively identify the SSL certificates that are nearing expiry, and renew the certificates before they reach expiry date. This is where the SSL Certificate Expiry test helps administrators!

If the certificates suddenly expire, the users will no longer be able to access the applications. To avoid this, administrators should proactively identify those SSL certificates that are nearing expiry, and renew the certificates before they reach expiry date. This is where the SSL Certificate Expiry test helps administrators!

This test monitors all the SSL certificates that are configured for the target windows host. For each SSL certificate, this test captures the expiry date, computes how long each certificate will remain valid, and proactively alerts administrators if any certificate is nearing expiry.

This test is disabled by default. To enable the test, go to the enable / disable tests page using the menu sequence : Agents -> Tests -> Enable/Disable, pick the desired Component type, set Performance as the Test type, choose the test from the disabled tests list, and click on the < button to move the test to the ENABLED TESTS list. Finally, click the Update button.

Target of the test : A Windows host

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every SSL certificate on the target Windows host being monitored.

Configurable parameters for the test
Parameter	Description
Test Period	How often should the test be executed.
Host	The IP address of the host for which the test is being configured.
Port	Specify the port at which the target host listens to.
Expiry in Days	Specify the time period in days during which this test should report the expiry details of the SSL certificates.
Thumbprint	By default, none is specified against this parameter indicating that this test will monitor all the SSL certificates on the target host. Sometimes, administrators may only want to track the expiry of a SSL certificate that secures the most critical connection so as to ensure continuous availability of the certificate. To achieve this, administrators can specify thumbprint/fingerprint of that particular SSL certificate in the Thumbprint field. A thumbprint/fingerprint is the unique identifier of the SSL certificate and of the following format: 934367bf1c97033f877db0f15cb1b586957d313. Specifying the thumbprint will enable the test to monitor only the SSL certificate whose thumbprint has been configured. For instance, to check a certificate's fingerprint/thumbprint in the Internet Explorer, do the following steps: Open Internet Explorer Go to Tools > Internet Options Click Content tab > Certificates In the Certificates window, click on the tab for the certificate you want to examine (Personal, Other People, Intermediate Certification Authorities, Trusted Root Certification Authorities) Locate the certificate or root in the list Double click on the entry Click the Details tab Scroll to Thumbprint, the Thumbprint details will be displayed.
Detailed Diagnosis	To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled: The eG manager license should allow the detailed diagnosis capability Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.

Measurements of the test
Measurement	Description	Measurement Unit	Interpretation
Time to SSL certificate expiry	Indicates the number of days from the current day for which this SSL certificate will be valid.	Number	A high value is preferred for this measure. A low value of this measure indicates that the SSL certificate is nearing expiry soon and you should update the certificate as soon as possible. The detailed diagnosis of this measure reveals the key file name, the format of the certificate file and the notification period beyond which the alert will be generated.

Using the detailed diagnosis of the Time to SSL certificate expiry measure, administrators can find out who issued the SSL certificate and to whom the SSL certificate was issued. The detailed diagnosis also reveals the thumbprint, exact expiry date and version of the SSL certificate. In addition, the location where the certificate is installed is also displayed.

Figure 1 : The detailed diagnosis of the Time to SSL certificate expiry measure