# How to check and monitor SSL certificates expiration with Telegraf

As a developer or operator of a Website, the certificate expiration could happen and make the services not work. I’ll introduce how to monitor certificates like SSL,JKS,P12 using Telegraf.

Certificates are broadly used for security reasons, they can be used within internal service or public service communication. The most common certificate is TLS used for verifying the identity of the HTTPS service. To increase security, the certificate will not be always valid because of expiration. To prevent the certificate expiry, we should rotate them periodically and meanwhile monitor them and alert if expired. Telegraf is a popular metric collecting tool to implement this.

## Overview for certificate types

1. .csr
Certificate Signing Request used to request a certificate from the certificate authority.
2. .pem
This is a container format that may include just the public certificate or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM.
3. .key
This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.
4. .pkcs12 .pfx .p12
This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys.
5. .cert .cer .crt
A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
6. .jks
A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.

## Check certificate expiry time

1. check the JKS expiry time

2. check the PKCS#12 expiry time

## Customize telegraf plugin

In this case, we can use a bash script to collect the metrics and output it as influxDB line protocol, it does not need you to use influxDB, you can use any kind of monitoring backend that can read from telegraf, for example, Prometheus.

Telegraf is a daemon that can be running on servers to collect system metrics, it supports multiple input plugins to collect metrics. intput.exec is an input plugin which will run the specified script, the output of the script will be treated as a data point.

### Bash script to generate the metric

We can write a bash script to generate an influxDB line formatted metric, the script will use openssl to resolve the certificate.

1. This is a script used to resolve PKCS#12 files.

2. Another script to resolve the JKS file

3. X509 Cert
There’s an X509 Cert Input Plugin already there.

### Telegraf configuration

Put the jks_cert.conf under the telegraf’s configuration folder, restart telegraf and it will take effect.

### What’s next

Connect the data Telegraf collected to Time series database like Prometheus, InfluxDB, Graphite, and show them with Grafana.