-1

For enterprise wide systems wherein SSL certs are utilized, what is the best way of monitoring root CAs or intermediate CAs?

If the systems were on Linux OS.

Are there nagios checks that can catch verification for root CAs?

tw1stud
  • 31
  • 5
  • "*Checks that can catch verification*"? What exactly do you mean by that? – MadHatter Jul 28 '14 at 18:44
  • What type of monitoring do you mean? Checking whether they're going to expire, or whether the list is too large or small? – Andrew Schulman Jul 28 '14 at 19:15
  • I would like to see if 'root.certificate or intermediate certificate' in a host is expiring or within expiry of N days. But I would like to club this with an ongoing SSL certificate check...instead of running curl-config checks on a cacert bundle and then the ssl cert check... I should add some clarity to my question editing it.. – tw1stud Jul 28 '14 at 21:06
  • Basically I would like to verify the SSL Chain ....observing expiration for SSL Certs + Intermediate/Root CA – tw1stud Jul 28 '14 at 21:31

1 Answers1

0

Yes there are existing Nagios checks (and can also be very easily written in Perl for example) to determine if a Cert is going to expire.

http://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_certificate/details (check_ssl_certificate)

usedTobeaMember
  • 616
  • 15
  • 25
  • This checks for an SSL Certificate, I would be interested to see if it can catch root or intermediate certificate expiry too – tw1stud Jul 28 '14 at 21:04
  • This also can check expiry information. If you wish to check expiry on a intermediate cert, you can do it the same way you would with a regular cert I believe. You use the same openssl commands to read an intermediate x509 cert that you do with a regular certificate. – usedTobeaMember Jul 28 '14 at 21:25