https certificate check , query and check issuing ca
I recognized that the https crtificate check will be reconstructed with next checkmk releases.
Would it be possible to implement a consistency check / parameter,
to proof the issuing ca ?
Thus we would be able not only to check if the used certificate runtime is valid,
but also if the certificate has been issued by the right issuing ca, we would expect.
This will also help to figure out self signed certificates and also changes of the issuing ca.
Comments: 3
-
10 Jan
Marcel Arentz AdminHi,
1
thanks for being so attentional! This show me that you are looking forward to our new version and appreciate our efforts to add the certificate check already before the first beta. :)
To answer your question: We are on the finishing line here and currently, we have an implementation to handle your use case. Actually, several implementations. Everything below is a moving target and not finalized:
* You will be able to allow self-signed certificates explicitly. The default is an error (as there is no issuer)
* You will be able to check for a specific issuer in a more or less detailed way. Especially considering the latest mitm-attacks
Keep on tracking this new feature as we will implement the ruleset in the next days. -
20 Feb
YggyDoes the new SSL certificate check also have an option to check the FQDN / host the certificate is issued for, so that it turns in error when it doesn't match with the host or defined expected text string?
Use case: monitoring a website, certificate renewal fails, website gets default SSL certificate of host where website resides on.
See forum: https://forum.checkmk.com/t/how-to-monitor-ssl-fqn-match/44299 -
21 Feb
Marcel ArentzShort answer: Yes
More details: You will be able to check for specific values in the certificate. Some of them are (additionally to the already above mentioned): subject cn (common name), certificate subject alternative name.
Please note that you may need to set two rules: One for the web service itself and another for checking details on the certificate. The new check_httpv2 will be able to check for the remaining validity time (as before) but not for more details.