There is no rest for the webmaster. There is always something to do to keep websites healthy and to work in optimal conditions.
For example, monitor the SSL certificates to check if they are working properly and not expired.
The X.509 Public Key Certificates –or, as we all call them, SSL/TLS certificates– have an expiration date. After that date, the websites or applications they work for will simply stop sending and receiving data through a Secure Sockets Layer (or SSL for short), showing a security warning to your visitors or users. Therefore, as a webmaster, you need to be sure that your certificates don’t expire. That could be an annoying task if you have many sites or web applications to maintain, so it is a good idea to have someone (or something) to check the expiration dates for you, and warn you when those dates approach.
You may think that you’re not that lazy. I mean, if you have a whiteboard hanging on your office’s wall, you may just jot down the expiration dates with a red marker and add a couple of exclamation marks when the time to renew the certificates approaches, right?
Well, the thing is, there is more in certificate monitoring that just doing a periodic check of the expiration dates. There are more certificates than you may think — not just the one you bought for your site — and it is not just the expiration date that needs to be checked because certificates can be revoked without you being noticed. Besides, your site could get blocked if your certificate is not good enough, or if it got altered as a consequence of a possible malware attack.
So let’s take a look at all the things related to certificate monitoring.
Introducing the chain of trust
To be trusted, an SSL certificate needs to be traceable back to the trusted root it was signed off. That is to say, and it has to be linked to a trusted certificate authority (CA) through a chain of trust. The chain of trust is composed of three parts: the root certificate, the intermediate certificates, and the server certificate.
* The root certificate belongs to a CA, which carefully keeps it in a trust store.
* The intermediate certificates stay between the root certificate and the server certificate, acting as middle-men between them. There can be any number of intermediate certificates in a trust chain, but there has to be at least one.
* The server certificate is issued for the specific domain that needs to be included in the trust chain.
When you buy an SSL certificate, you also get a bundle, including an intermediate root certificate. When someone arrives at your website, his or her browser downloads your certificate and follows the trust chain back to the trusted root certificate. If the browser can’t follow the chain, it will warn the user about a possible security threat.
Your certificate’s chain of trust can cause errors if something has not been correctly configured. Common problems include that the certificate wasn’t issued by a trusted CA, that the intermediate certificates aren’t properly installed, or that your server is not correctly configured with your SSL certificate. These are some of the issues that certificate monitoring tools can check for you.
Below we list some of the most popular certificate monitoring tools that could free you from the task of monitoring your SSL/TLS certificates.
Oh Dear! does more than just monitor your domain certificate.
It performs a complete validation of your certificates’ chain of trust, checking all your intermediate certificates. If it detects a change in any of the certificates, it will present you with a clean report comparing the before & after situation, to let you see if there was a change in any of the covered domains. This service also looks for old SHA-1, revoked or distrusted root certificates, all of which can cause a site to be unavailable.
SSL certificate monitoring is just one of the many options that Sucuri offers within its suite of services for scanning websites to detect possible malware problems.
When the service detects that changes were made to your website’s SSL certificate, it will immediately send you an alert so you can take the necessary actions. Sucuri’s complete malware detection service is fee-based, with plans starting at $ 199.99 per year.
Besides SSL certificates, it also scans for malware, SEO spam, blacklist status, DNS, and uptime monitoring.
Ashish Kumar offers a certificate expiry alert service for free, just because he wants to contribute to making the Web more secure and also to publicize his soon-to-be-released product HTTPS Cop, a complete set of tools to check all types of problems with a website’s SSL certificates.
Even though the full product is not yet released, the alert service is fully operational. You just have to type in your website’s URL, your email address, and you will begin getting notified two weeks before your certificates expire. You can add as many sites as you want to be monitored.
Through its SSL certificate monitoring service, RapidSpike keeps you notified of all important information regarding your SSL certificates. Once you configure the service, RapidSpike will regularly check the expiry date of each of your certificates. Thirty days before that date, the service will begin notifying you through your preferred method, first weekly and then daily, to make sure you don’t forget. Once you renew your certificates, the notifications will stop until the new expiry dates approach.
RapidSpike also monitors important information associated with the certificates, adding to your website an additional layer of security. The Certificate Monitor can be added through a web user interface for any domain covered by RapidSpike’s website monitoring service, whose basic plan costs £40 per month.
Keychest business is all about digital certificates. Its service offers weekly email reports and dashboard summaries for all your certificates, with the ongoing discovery of new certificates thanks to its global database. It also offers renewal automation with third-party CAs and Let’s Encrypt management for businesses.
With Keychest, you can also purchase certificates, with a unique 4-step purchasing process with price calculation. The purchase includes CSR generation and download for Linux and Windows, and full automation of renewals.
Updown offers a simple and inexpensive website monitoring service, including SSL testing. Once you set up the service, you will begin receiving alerts in case of invalid or expiring certificates. Updown charges only for what you use, with no need to pay fixed monthly or yearly fees.
You buy credits and set up a monitor that operates until it consumes the credit. As an example, if you want to check two websites every minute, it will cost you about € 1.17 a month. The alerting systems covered include SMS, Webhook, Zapier, Telegram, and Slack.
CertsMonitor offers to fix all the problems with your certificates before they begin issuing embarrassing “insecure connection” warnings to you, visitors. The service includes keeping a tab on your Let’s Encrypt cron, fixing errors before the certificates expire, and seeing at a glance if your domain certificate is revoked or not configured properly.
You can receive reminders by email or through Slack. The service is free for monitoring up to 2 domains and has a cost of $ 29 per year for up to 30 domains.
Certificate Expiry Monitor
Certificate Expiry Monitor is an open-source utility that exposes the expiry date of TLS certificates as Prometheus metrics, for those who prefer to build their own tools. The utility can be built on a Docker image or on a Kubernetes cluster.
The project includes abundant documentation to access a Prometheus endpoint for monitoring, to do a simple health check, and to access many gauges and counters that show the certificates’ vital statistics.
Whenever your certificates need renewal or aren’t working, Let’s Monitor will alert you for free. The service can send notifications to multiple contacts within a team through email messages or SMS. It also monitors uptime and performance, to ensure the websites stay responsive and their data stays encrypted. To ensure worldwide access to your secured site, Let’s Monitor uses globally distributed servers.
Additionally, Let’s Monitor offers other advanced monitoring services, such as performance, availability, threats, and connectivity, among others. To get started with all these services, you just need to register with an email address and a password.
TrackSSL is a web service that regularly checks your SSL certificates for common errors. To begin using it, you just need to create an account and add your certificates through the web interface. You will receive email notifications when the service detects problems with the certificates, such as pending expiry or misconfigured hosts.
TrackSSL will ensure that infrastructure changes don’t affect your certificates, sending you notifications whenever a change is detected. You can configure the notifications according to your needs, with the possibility of integrating with Slack and getting notifications into your #devops channel. Pricing plans start at $12 per year, to cover up to 20 domains.
SSL Certification Expiration Checker
SSL-cert-check is a free and open-source shell script that can be run from cron to report on expiring SSL certificates. It can send a warning by email or log alerts through Nagios. The utility comes with several options that can be viewed with the “-h” option.
If you manage numerous certificates on a web server, SSL-cert-check can be used to print the expiration date for each of them. If you don’t have local access to the certificate files, you can use the utility’s network connectivity option to extract the certificates’ expiration dates from a live server.
In case you need to monitor a lot of servers, you can place their names and port numbers in a file and then run SSL-cert-check against that file.
If you don’t catch expired certificates early enough, the consequences could be really painful. The tools reviewed here offer notification features that can help you avoid problems, giving you peace of mind and freeing you from all the concerns associated with your website certificates.