I want to use a sensor to monitor my SSL certificates so that it tells me when they are about to expire. Anyone know if this is possible?

Usage instructions/example

It's possible to monitor a certificate's expiration with the native/built-in SSL Certificate sensor. It monitors, among other things, the "Days to Expiration". If you wish to use this sensor, please proceed as follows:

  1. Create a new device with the FQDN of the host were the sensor is being used. For example www.paessler.com
  2. After the device was created, deploy an SSL Certificate sensor on the newly created device.
    1. When monitoring a regular HTTPS (443) website, use the default settings
    2. When monitoring a website that is hosted using Virtual Hosts, enter a Virtual Host (SNI Domain) in the sensor's settings, usually the same as the device's FQDN (in this case www.paessler.com)
    3. Press Continue to deploy the sensor
  3. The sensor should come up (green) after a couple of minutes. Once it does, confirm via the sensor's message that the correct certificate is being monitored. The message will look somewhat like this:
OK. Certificate Common Name: *.paessler.com - Certificate Thumbprint: 4F23ED83F2681EE442F8DE4521D80F5AF46B1F41

Important notes

  • Newly deployed sensors (as of PRTG version 17.4.35.3441) will have the following default limits for the certificate's expiration:
Lower Warning Limit28 (days)
Lower Error Limit7 (days)

If you want to be alerted earlier, please update the limits accordingly.

  • Sensors deployed previously to version 17.4.35 may not have any limits. Please double-check or re-deploy the sensors to have them created with limits.
  • While the sensor monitors port 443 by default, you can monitor the SSL Certificate of any reachable TCP socket that supports standard TLS/SSL.
  • Sockets/webservers that don't implement SNI may produce errors when specifying an SNI host, if unsure leave the Virtual Host (SNI Domain) in the sensor's settings empty.
  • Consider using a slow scanning interval (for example, 12 hours) since the certificate won't get any older more than once a day, so checking it every 30s will produce unnecessary network, PRTG and webserver load.
  • If you get errors due to the certificate's revocation check, please refer to:

More

We also have a KB-Post comparing the new SSL Certificate sensor with the old (and deprecated) HTTP SSL Certificate Expiry. Please check the post below for details:


Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.