SSL/TLS Certificate
SSL/TLS certificates encrypt the data transferred to and from the website of the certificate holder. Site24x7's SSL/TLS Certificate monitor does multiple checks like certificate validity (to notify you about the expiry of your domain's SSL/TLS certificate in advance), OCSP checks (to inform you about any revoked certificate), and blacklisted checks (to notify you about any potential blacklisted certifying authority). Additionally, you can also set up SHA-1 Fingerprint threshold to detect any potential certificate tampering. This way, you can be sure of providing a safe environment for your website visitors and also enhance the credibility of your website.
Table of Contents
- Add an SSL/TLS Certificate Monitor
- General Settings
- Configuration Profiles
- Alert Settings
- Third-Party Integration
Add an SSL/TLS Certificate Monitor
- Login to Site24x7.
- Click Admin > Inventory > Monitor > Add Monitors.
- Select SSL/TLS Certificate in Add Monitors screen.
- Specify the following details to add this monitor:
- Display name: Provide a name to identifiy this monitor in the dashboard.
- Host and port: Specify the IP address or domain name of the host, and the port number.
You can configure protocols such as HTTPS, POPS, SMTPS, IMAPS, FTPS. The host must accept an SSL/TLS handshake on the port.
Default port for HTTPS is 443.
- STARTTLS: Enabling this option will establish a secured connection after an initial unencrypted connection using a single port.
- Certificate expiry threshold: A notification is raised this many days before the certificate expires. Your monitor turns to trouble as and when this threshold is breached.
- Skip hostname verification: Do not verify that the hostname on the certificate matches the host specified above. Enable this if you've specified an IP address or a different hostname than on the certificate.
- Ignore trust certification path: Use this option to validate the SSL/TLS certificate chain. Enable this if you don't wish to identify any potential revocation information about your host's certificate. By default, this will be disabled to allow detection of any potential revocation of your host's certificate.
When an SSL/TLS Certificate Trust Check fails, it may be due to conditions like, "Self-signed certificate, Intermediate certificates missing, Intermediate certificate chain incorrect". Site24x7 will correctly identify and highlight this issue in the Monitor Details Summary tab. For any other condition, the default message will be shown. Know more. -
Force IP Address: You can enter the IP address of the domain name given in the host field above. This IP will be resolved directly instead of first resolving the domain name and then the IP.
- Monitoring locations: Choose an existing Location Profile or create a new one. SSL/TLS certificate checks will be performed from the primary location alone.
To know more, refer Location Profile.
- Monitor Groups: Choose an existing Monitor Group or create a new one. Monitors can be organized into Monitor Groups to ease administration.
To learn how to create a monitor group for your monitors, refer Monitor Groups. - Dependent on monitor: Pick a monitor from the drop-down list to specify it as your dependent resource. You can add up to 5 monitors as dependent resources. Alerts to your monitor will be suppressed based on the DOWN status of your dependent resource.
Configuring a dependent resource and suppressing alerts based on the dependent resource's status is part of providing you with better false alerts protection. Learn more about alert suppression at monitor level.
If you select "None" in the dependent resource field, alerting will progress as per your normal configuration settings. No alerts will be suppressed in this case as the monitor doesn't have any dependent resource.
Multiple monitor group support for monitors allow a monitor to be associated with multiple dependent resources in different monitor groups. If during a normal monitor status check, any one of these dependent resources' status is identified as DOWN, the alert for the monitor will be automatically suppressed. However, the dependency configuration at monitor level is always given the higher priority over any other monitor group level dependency configuration for suppressing alerts. - Specify the following details for Configuration Profiles:
- Threshold and Availability: Pick a preset threshold profile from the drop down list or create a threshold to get notified when the SHA-1 Fingerprint check fails or before your certificate expires.
Tell me more about setting up a threshold profile for an SSL/TLS Certificate. - Tags: Associate your monitor with predefined Tag(s) to help organize and manage your monitors creatively. Learn how to add Tags.
- IT Automation: Select an automation to be executed when the website is down/trouble/up/any status change/any attribute change. The defined action gets executed when there is a state change and selected user groups are alerted.
To automate corrective actions on failure, refer IT Automation. - Exclude IT Automation during Scheduled Maintenance: Use the check box to enable this option and to exclude automation during maintenance.
- Threshold and Availability: Pick a preset threshold profile from the drop down list or create a threshold to get notified when the SHA-1 Fingerprint check fails or before your certificate expires.
- Alert Settings:
- User Alert Group: Select the user alert group that needs to be alerted during an outage. To add multiple users in a group, see User Groups.
- Checks performed: Site24x7 performs the following checks to detect and validate whether the certificate issued by the CA is valid, cancelled, or blacklisted:
- Certificate Validity: Check the trustworthiness and validity of the SSL/TLS Certificate. To verify whether the certificate of the issuing certifying authority (CA) was issued by a trusted CA or not, Site24x7 will try to access the end-user certificate and all intermediate certificates issued by CAs. If the SSL/TLS certificate chain is found as invalid or broken, your certificate will be deemed untrusted and invalid. However, if a secure connection can be established–the certificate will then be deemed trusted and valid.
- Online Certificate Status Protocol (OCSP) checks: OCSP check facilitates easy validation of the revocation status of an SSL/TLS Certificate. Site24x7 queries the issuing certifying authority's OCSP server using the certificate's serial number and based on the response, detects whether a certificate is revoked or not.
- Blacklisted Checks: Site24x7 checks whether your SSL/TLS CA is blacklisted or not, by cross checking with the available list of blacklisted CA's.
All the above checks except OCSP check will be carried out automatically, by default. However, OCSP check can be performed only when you enable Site24x7 to
detect the SSL/TLS certificate chain.- On-Call Schedule: The On-Call Schedule option helps you to ensure that the notifications are sent to assignees in specific shift hours helping them to quickly respond to alerts or incidents. Choose an On-Call of your preference from the drop-down.
- Notification profile: Choose a notification profile from the drop-down or select the default profile available. Notification profile helps to configure when and who needs to be notified in case of downtime. In the Notification Profile form, you can only customize email templates for down/trouble alerting. Other parameters will be disabled, by default.
You can receive alerts if the monitors are associated to user groups irrespective of the On-Call shift you've configured. - Third-Party Integration: Associate your monitor with a pre-configured third-party service. It lets you push your monitor alarms to selected services and facilitate improved incident management. If you haven't setup any integrations yet, navigate across to ”Admin > Third Party Integration” to create one. Tell me more.
- Click Save.
Once the monitor setup is completed, Site24x7 deep discovery wizard scans your domain and auto detects all related internet resources for your domain that can be added to your account for a comprehensive internet services monitoring. Explore more about internet services deep discovery.
Learn more about the various performance metrics of the SSL/TLS Certificate Monitor. To understand the distinction between our various internet service monitoring capabilities, read more.