How to check and monitor SSL certificates expiration with Telegraf
Posted Updated operation6 minutes read (About 899 words)

How to check and monitor SSL certificates expiration with Telegraf

As a developer or operator of a Website, the certificate expiration could happen and make the services not work. I’ll introduce how to monitor certificates like SSL,JKS,P12 using Telegraf.

Certificates are broadly used for security reasons, they can be used within internal service or public service communication. The most common certificate is TLS used for verifying the identity of the HTTPS service. To increase security, the certificate will not be always valid because of expiration. To prevent the certificate expiry, we should rotate them periodically and meanwhile monitor them and alert if expired. Telegraf is a popular metric collecting tool to implement this.

Overview for certificate types

  1. .csr
    Certificate Signing Request used to request a certificate from the certificate authority.
  2. .pem
    This is a container format that may include just the public certificate or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM.
  3. .key
    This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.
  4. .pkcs12 .pfx .p12
    This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys.
  5. .cert .cer .crt
    A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
  6. .jks
    A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.

Check certificate expiry time

  1. check the JKS expiry time

    check_jks.sh
    1
    2
    # to check keystore.jks expiry time
    keytool -list -v -keystore keystore.jks -storepass "pass" | grep until

  2. check the PKCS#12 expiry time

    check_p12.sh
    1
    2
    # to check certicate.p12 expiry time
    openssl pkcs12 -in certicate.p12 -nokeys | openssl x509 -noout -enddate

Customize telegraf plugin

In this case, we can use a bash script to collect the metrics and output it as influxDB line protocol, it does not need you to use influxDB, you can use any kind of monitoring backend that can read from telegraf, for example, Prometheus.

Telegraf is a daemon that can be running on servers to collect system metrics, it supports multiple input plugins to collect metrics. intput.exec is an input plugin which will run the specified script, the output of the script will be treated as a data point.

Bash script to generate the metric

We can write a bash script to generate an influxDB line formatted metric, the script will use openssl to resolve the certificate.

  1. This is a script used to resolve PKCS#12 files.

    generate_p12_metric.sh
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    #!/bin/bash

    FILE_PATH="path-to-pkcs#12-cert"
    P12_UNTIL=$(openssl pkcs12 -in $FILE_PATH -nokeys 2>/dev/null | openssl x509 -text -noout 2>/dev/null | grep After | sed 's/.*After : //' )

    # return 1 year when there's no existing file
    if [ -z "$P12_UNTIL" ]
    then
        echo "$((360*24*60*60))"
        exit 0
    fi

    P12_UNTIL_EPOCH=$(date +%s --date="$P12_UNTIL")
    NOW_EPOCH=$(date +%s)

    echo "pkcs12_cert,source=$FILE_PATH expiry=$(($P12_UNTIL_EPOCH-$NOW_EPOCH)) ${NOW_EPOCH}000000000"

  2. Another script to resolve the JKS file

    generate_jks_metric.sh
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    FILE_PATH="path-to-jks-cert"
    KEYSTORE_UNTIL=$(echo 'dummydummy' | keytool -list -v -keystore $FILE_PATH 2>/dev/null | grep -i Until  | sed 's/.*until: //')

    # This may be caused by unexistent file, return 1 year to skip checking.
    if [ -z "$KEYSTORE_UNTIL" ]
    then
        echo "$((360*24*60*60))"
        exit 0
    fi

    KEYSTORE_UNTIL_EPOCH=$(date +%s --date="$KEYSTORE_UNTIL")
    NOW_EPOCH=$(date +%s)

    echo "jks_cert,source=$FILE_PATH expiry=$(($KEYSTORE_UNTIL_EPOCH-$NOW_EPOCH)) ${NOW_EPOCH}000000000"

  3. X509 Cert
    There’s an X509 Cert Input Plugin already there.

Telegraf configuration

Put the jks_cert.conf under the telegraf’s configuration folder, restart telegraf and it will take effect.

jks_cert.conf
1
2
3
4
[[inputs.exec]]
  commands = [ "/usr/local/bin/jks_certificate_metric.sh" ]

  data_format = "influx"

What’s next

Connect the data Telegraf collected to Time series database like Prometheus, InfluxDB, Graphite, and show them with Grafana.

Reference

  1. What is a pem file and how does it differ from other OpenSSL generated key files?
  2. OpenSSL check p12 expiration date
  3. What is a PEM file and how does it differ from other OpenSSL generated key file
  4. pkcs#12
  5. OpenSSL essentials
  6. Java keytool essentials
  7. Java KeyStore
#

Like this article? Support the author with

Comments

Your browser is out-of-date!

Update your browser to view this website correctly.&npsb;Update my browser now

×

×