Performance Metrics - SSL/TLS Certificate Monitor
Interpret Metrics from SSL/TLS Certificate Monitor
SSL/TLS certificates are an essential part of Server security as they aid in maintaining the security of the data that is being passed to and from other servers. Site24x7's SSL/TLS certificate monitoring continuously undertakes multiple checks and alerts you about the expiry of your domain's SSL/TLS certificate in advance, lets you know about any certificate revocation, SHA-1 fingerprint check for any certificate tampering and even detects any blacklisted certifying authority. You can also identify and gather more insight about untrusted certificates. This way, you can be promote your site's trustworthiness and be sure of providing a secure environment for your website visitors.
The main dashboard has a custom status banner, which identifies the various configured monitors by segregating them based on their operational status and state. You can also view the number of operational monitors and alert credits remaining in your account. By clicking the "+ Buy More" button, you can purchase additional monitors and alert credits. You can share the monitor details via an email. Email can be sent to only those verified users who have agreed to receive emails from Site24x7.
Navigate to Status dashboard and click on an SSL/TLS Certificate monitor listed here to get a detailed report on the different status of your SSL/TLS certificate. SSL Host details like Display Name, Host Name and associated Port are also listed here. You can access the hamburger icon to perform actions like:
- Editing the monitor
- Suspend a monitor
- Poll a monitor instantly
- Send the performance report as an email or export as a PDF
- Schedule a maintenance
- Make the monitor reports public with status page.
The monitor details page is further split into three dashboards: Summary, Outages and Inventory dashboard.
Summary Dashboard
Summary dashboard gives you insight into the critical metrics of an SSL/TLS Certificate. Monitor availability status, certificate's trustworthiness, blacklisted check results and certificate's remaining valid days are displayed on the top band. You can customize these reports based on time period by choosing a time range between last 24 hours to a year back.
Following results from monitoring checks decide an SSL/TLS Monitor's operational status:
Monitor Status | Status Icon | Conditions Affecting Monitor Status |
UP |
|
|
TROUBLE |
|
|
DOWN |
|
|
CONFIGURATION ERROR |
|
The Summary page will show a chain of certificates from top to bottom starting from the end-user certificate to all intermediate certificates for a given SSL host. Each of these certificates will also list the SHA-1 fingerprint for that certificate. For each certificate, you can also view the following details:
Issued By
It passes on details about the Common Name (CN), Organization (O) and Organizational Unit (OU) that has issued the SSL/TLS certificate.
Issued To
It lists the details of the organization, to which the SSL/TLS certificate has been issued. It comprises Common Name (CN), Organization (O) and Organizational Unit (OU) information.
Validity
It lists the following details about the SSL/TLS certificate; Issued Date, Expiry Date and Days to Expire.
Monitor summary dashboards based on Monitor conditions:
Fig.2: Monitor is Down (Certificate Revoked)
Fig.3: Monitor is Down (Certificate Blacklisted)
Fig.4: Monitor is Down (Certificate Expired)
Fig.5: Monitor in Trouble (SHA-1 Fingerprint check failed)
SHA-1 fingerprint is computed from the certificate content and is used for validating certificate's authenticity. Even a minor change in the certificate will result in a different SHA-1 Fingerprint and points to a tampered certificate. The monitor will be shown in Trouble state when an SHA-1 Fingerprint check fails. Whenever your SSL certificate gets replaced, it'll automatically trigger a trouble alert. This is because the SHA Fingerprint of the server certificate does not match the one polled a day before. The trouble status will be auto-reset to the UP status during the successive poll the next day, unless the certificate gets changed in between.
Fig.6: Monitor is Down (SSL/TLS Certificate Untrusted)
Whenever the trust check fails for an SSL/TLS Certificate, it may be due to numerous reasons like,
- Intermediate Certificate Chain Incorrect
- Intermediate Certificate missing in Certificate Chain
- Self-signed Certificates
Site24x7 can clearly identify the exact reason for the certificate's untrustworthiness.
Grades
The SSL Certificate Grade calculations are based on the supported Protocols, supported Ciphers, it's bit length, Certificate Key Exchange size, and Certificate Vulnerabilities.We support the following grades based on the calculations performed based on the above properties.
The grade list and its values are as per the below table:
Grades | Values |
A+ |
90 and above |
A | 80 to 90 |
B+ | 75 to 80 |
B | 65 to 75 |
C | 50 to 65 |
D | 35 to 50 |
E | 20 to 35 |
F | Below 20 |
SSL/TLS Certificate Untrusted: Intermediate Certificate Chain is Incorrect
In the example below, the SSL/TLS Certificate chain doesn't show the correct linear order in which the certificates were issued by Certifying Authorities. In the below example, the correct certificate chain should have been;
Server Certificate > Certificate Chain #3 > Certificate Chain #2 > Certificate Chain #1
SSL/TLS Certificate Untrusted: Intermediate Certificates Missing in the Certificate Chain
In the below example, the trust check failure is due to the missing certificates in the SSL/TLS Certificate chain while performing an SSL handshake with the Customer's website. Here, the Server Certificate has been issue by Certifying Authority "Let's Encrypt Authority X3". Site24x7 has noticed that "Let's Encrypt Authority X3" has been issued by some other Certifying Authority and it's not the root certification authority.
How to fix this issue?
You must combine all the intermediate certificate(s) received from the Certification Authority (CA), along with your Server Certificate, in the proper hierarchical order; then, bundle them all together to form a single Certificate file. This must then be included in the Server's load balancer.
SSL/TLS Certificate Untrusted: Self-signed Certificates
Here, the trust check failure has occured since the Server Certifcate has been self signed. This can be identified from the fact that the certificate was issued by and to AwesomeSSL, which makes the certificate invalid.
Outages
You can access the Outages tab in your monitor's details page to gather detailed insights on the various outage and maintenance downtimes. It provides you with sufficient information to troubleshoot issues. You'll also be able to access the root cause analysis reports for your various outages. On accessing the icon of a listed monitor outage or maintenance, you'll be shown the options to:
- Mark as Maintenance: Mark an outage as Maintenance
- Mark as Downtime: Mark a Maintenance as Downtime
- Edit Comments: Add/Edit Comments
- Delete: Delete an Outage/Maintenance permanently
Inventory Dashboard
This dashboard captures the basic monitor inventory details such as the host details, monitor configuration settings including polling locations, licensing, monitor creation time, last modified time, and threshold settings. Monitor status messages will be automatically logged in as notes. Any user comment will also be displayed in the note section.
Vulnerability Status
End-server vulnerabilities are caused by improper SSL protocol configuration in a domain server. You can now check the Vulnerability Status of your SSL certificates. To check the vulnerability status of your SSL certificates,
- Log in to Site24x7.
- Navigate to Web > SSL / TLS Certificate.
- Choose the SSL certificate monitor of your choice and go to Vulnerability Status section. There you can view all the vulnerabilities and your associated status.
Protocols and Ciphers
Protocol is a guideline or set of rules for the transmission and reception of data.
Cipher is an algorithm for encryption and decryption of data. Ciphers enable private communication in different networking protocols, including the Transport Layer Security (TLS) protocol and others that offer encryption of network traffic. Ciphers use a system of fixed rules to transform plain text, or a message, into cipher text, a random string of characters.
To view the Ciphers, Protocols, and their status,
1. Log in to Site24x7.
2. Navigate to Web > SSL/ TLS Certificate.
3. Choose the SSL/ TLS certifcate monitor of your choice and go to Protocols and Ciphers section.
Learn more: Setting up an SSL/TLS Certificate