Cecilia Gripenberg – Senior Consultant
It happens too often
How many times have you had your SSL certificates expire and had customer-facing sites show up as being untrusted in users’ web browsers? This happens all too often and is embarrassing. And it is entirely avoidable.
Expiration is by design
SSL certificates are not meant to last forever, as they tell clients (web browsers, other software), who you are. They are currently limited by all major suppliers to 2 years. This helps to reduce the amount of vulnerable certificates (which could be misused) in the wild. This means that expirations will continue to be a fact of life for the foreseeable future.
Monitor them with your monitoring system
The solution to this is simple, add all your hosts into Nagios and have certificate expiration dates monitored. This is the most straightforward way.
But what if you have a lot of certificates?
One of our customers has over 400 SSL certificates that are valid. This means that to check all the certificates, you have to configure every single service manually to do this. This will take time, and the amount of work is significant.
There is a solution
Fortunately there is an easier way to do this. This is where rfc6962, better known as Certificate Transparency, comes in. In 2011, a reseller of SSL certificates was compromised, so certificates may have been granted to those without ownership of certain domain names. In response, the Internet Engineering Task Force introduced the concept of CT. It means that all Certificate Authorities or CAs must publicly log which certificates have been granted by them. This makes it easier to spot security issues and revoke certificates in case of breaches.
Certificate transparency means everyone knows if a domain has been issued new certificates
How does CT fit in here?
Since CT logs are public, that means they can be searched. And since those logs contain information about domain names and certificate validity dates, the data can be monitored. Now your monitoring system can alert you if a certificate has not been renewed.
Limitations
Since CT logs are public, private CAs are not subject to this. This means you will have to monitor these systems using other methods. But you could always publish your logs internally.
They are essential and should be monitored
As you can see, there is a bit to think about when it comes to certificates. Fortunately they can be monitored with relative ease, when you know how that happens.
Let us help
We’ve worked with customers to ensure their certificate expirations don’t surprise them. Please don’t hesitate to contact us, should you need any help.
About the author
Deep knowledge on Icinga, op5 Monitor and Nagios. Plugin developer
and automation engineer with focus on Ansible.