I manage IT for a company with about 3000 servers, both virtual and physical, that rely on SSL certificates issued by our internal PKI. These certificates have a one-year validity based on our guidelines. I'm looking for effective tools or methods to monitor these SSL certificates. What tools do you recommend or what practices do you use?
8 Answers
I've been experimenting with Certkit, which is working well for my needs. You can try it for free while they are still developing it. While it might be a bit more than you need for simple monitoring, it’s worth exploring, especially if you’re comfortable with self-hosted solutions.
It’s time to start planning ahead! Check out this article on how TLS certificate lifetimes will soon be cut down to 47 days. You definitely want to stay ahead of that change!
We’ve set up a system in ServiceNow that creates a ticket when certificates have 30 days until expiration. This ticket is sent to the appropriate person—usually me, unfortunately! We also use LogicMonitor as a backup to catch any certs that might slip through the cracks.
I rely on Netbox for data management and use Nagios for alerting. Nmap helps with the initial discovery of the certificates, which makes the monitoring process smoother.
Some people might laugh, but I just use an Excel spreadsheet to track all our certificates. It’s simple but effective for my needs.
For our hosted applications, I put together a simple PHP script that checks the validity of SSL certificates for every web address in our CRM. It sends out warnings five days before an auto-renewal expiration and one day before if the auto-renewal fails—helps keep the panic at bay!
Venafi TPP, now owned by Cyberarc, is a good option. It allows you to set up workflows for certificate approvals and renewals, and it can automatically discover existing certificates and handle installations of renewed certificates. Just a heads up: the interface can be a bit complex and tracking logs might be tricky. But when it's functioning well, it performs admirably.
We use PRTG as our main monitoring solution, which keeps an eye on certificate lifetimes. Zabbix can also handle similar monitoring. If you're looking for something specifically for SSL monitoring, check out SSLTrack on GitHub. Also, you might find some useful tips from homelab or self-hosting communities.
We’ve been using Venafi as well; it has some great features!