/
(DC) Certificate Monitoring

(DC) Certificate Monitoring

Reminder Methods

There are various methods that can be used to help you know in advance of an impending certificate expiration.  It is best to setup a couple of methods to ensure you do not miss reminders.

REMEMBER:  Certificate Expiration Tracking is the responsibility of the customer.  Tools are available to help in the reminder to request renewals.

Table of Contents

Email Notification

Every certificate generated through the InCommon certificate management system has the ability to have a group email address (UTList) associated with it when it was requested or renewed.   The InCommon tool will notify service owners with a "heads-up" email 60-days before a certificate expires.  When certificates are requested, a group email address is used as a contact for the expiration reminders.  Please open tickets with "cert-request@http://its.utexas.edu " if that group email address needs to be updated.

Email has it own issues and should not be relied upon as the sole reminder method.  Email filters and address book updates should be setup to ensure delivery or the reminder emails.

Third-party monitoring tools

Utilize the third-party tool found on the "SSL Shopper" website.   This will work for PUBLIC facing URLs only.  Enter the URL, and then click "Remind Me", and the site will send an email reminder based on the number of days specified before expiration.

Splunk Alerts

The following Splunk Dashboard provides a list of certificates, their expiration date and the number of days before expiration.

You can use the Splunk SPL (search) behind this dashboard to setup Splunk Alerts to perform numerous actions that can help you remember to do something about impending expiration dates.

index=service-monitoring sourcetype=InCommonSectigoCertData commonName="{{FQDN}}" | spath input=certObj | eval expiration = strftime(strptime(expires, "%Y-%m-%d"), "%Y-%m-%d") | eval daysToExpiration = round((strptime(expires, "%Y-%m-%d") - now())/86400,0) | where daysToExpiration <= {{days before alerting}} | dedup commonName | table commonName, expiration, daysToExpiration

  1. Copy the above Splunk SPL.

  2. Open a web browser with the following URL:  https://splunk.security.utexas.edu/

  3. Paste the above Splunk SPL into the search box.

    Note: You can use the following LINK as a shortcut to setups 1-3.  Right click on the LINK to choose to open it in another tab/window.

     

  4. Change the {{FQDN}} to the FQDN of the certificate that you want it to alert you about.

  5. Change the {{days before alerting}} to the number of days before expiration that you want to be reminded.

  6. Click the button.

  7. Click the menu and choose "Alert".

  8. In the dialog that appears:

    1. Enter a title and description.

    2. Under "Alert type: Scheduled", choose "Run every day" from the pull-down menu.

    3. Ensure the "Trigger alert when" is set to "Number of Results"

    4. Ensure the "is great than" is chosen, and ZERO (0) is put into the value box.

    5. Ensure it is set to "Once" in the "Trigger" section.

    6. In "Trigger Actions" choose from the numerous types of things to do when the condition is true.

  9. Click Save.

You can locate all your alerts under the "Alerts" sub-menu on the main Splunk.

Calendar Notification

The easiest and probably the safest method of remembering when certificates expire and have custom pro-active notifications at custom intervals for multiple certificates and services.  Create events in the calendar with date of the expiration with alerts.

JIRA or WIKI Notications / Alerts

Setup a JIRA task with notification or a WIKI article with a list of certificates and their expiration dates.  Task the responsible service owners using the "@" functionality and the "//" to specify a date.

  • Mention a person or team (@)

  • Type "//" to bring up a date selector.  Choose a date in the future (a week or more before the expiration).  Ensure that you have reminders turned on in your Confluence WIKI settings to ensure you get email notification or GUI notifications when that date approaches.

Enterprise Certificate Monitoring Tools

Provided by the Enterprise Monitoring and Metrics Team.  Many of the monitoring tools that ITS-Systems provides are available to help monitor certificates and their expiration dates.   These are currently available to UT Enterprise Technology customers.

Zenoss

Zenoss has the ability perform certificate expiration checks and the default settings are to alert you 14-days in advance (as a warning), and a critical alert will be triggered on the day before it expires.  Custom monitoring intervals and types of alerts can be created per service.

ThousandEyes

ThousandEyes can send you an alert when the certificate is about to expire, and give you advanced warning.   You can set the warning any number of days in advance.

Setup monitoring, using either Zenoss or ThousandEyes by visiting:

Confluence Documentation | Web Privacy Policy | Web Accessibility