Monitoring a Certificate Authority

[rferebee]

Hello,

I hope you all are well.

Trying to find out if we can monitor a certificate authority in a way that XI could read/view all of the individual certificates to check things like expiration date, etc?

We're potentially beginning quite a large project related to XI in that we are going to monitor all of our major certificates. The initial list I received has 200+ certs in it and if there's a way not to have to create everyone of those cert checks individually that would be awesome!

Thank you.

[jbrunkow]

Nagios XI does not currently have a way to monitor a certificate authority out of the box. However, there are several plugins on the Exchange that offer this feature.

You could monitor a single certificate using the following plugins.
check_ssl_cert
check_ssl_certificate
For more information, you may also find the following article helpful.
linuxincluded.com

What form did you receive the list of certificates in? I have seen people try to setup monitoring for multiple certificates ( using check_csl I think ) with varied success. You may have to do some coding to automate the configuration of monitoring several certificates at once.

[rferebee]

Is this request possible?

[scottwilkerson]

Is this request possible?

I do not know of any way to monitor all the certificates held at a CA. It may be possible, but I do not know the way.

[rferebee]

Great, thanks so much for the replies. I found something on the Exchange that I think might do what I need:

https://exchange.nagios.org/directory/P ... os/details

Also, sorry for asking the same question twice in my own thread. For some reason the reply from @jbrunkow wasn't showing up until @scottwilkerson replied.

[scottwilkerson]

Great, thanks so much for the replies. I found something on the Exchange that I think might do what I need:

https://exchange.nagios.org/directory/P ... os/details

Also, sorry for asking the same question twice in my own thread. For some reason the reply from @jbrunkow wasn't showing up until @scottwilkerson replied.

Good luck hopefully that will meet your needs!

[rferebee]

Would it be possible to get some hands on assistance with troubleshooting the configuration of the solution I found on the Exchange?

I have it setup and it seems to sort of work, but I'm seeing errors. I think perhaps I don't have the ini file setup correctly. I had similar issues with the ISS App Pool monitoring you folks helped me with a few months ago.

This is what I'm seeing:

Code: Select all

[[email protected] ~]$ /usr/local/nagios/libexec/check_nrpe -H xxx.xxx.xxx.xxx -u -t 90 -c PSCheckCertificate
Import-Module : The specified module
'scripts\CertificateHealth\CertificateHealth.psm1' was not loaded because no
valid module file was found in any module directory.
At line:1 char:1
+ Import-Module scripts\CertificateHealth\CertificateHealth.psm1 ; Get- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (scripts\Certifi...cateHeal
th.psm1:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Comm
ands.ImportModuleCommand

Critical Certificate found:
CN=hybrid.xx.xx, OU=Hosted by Secure Sockets Laboratories, OU=Domain Control Validated (sha256RSA 2048 bits) expires 02/15/2019 15:59:59 -520 days.
Warning Certificate found:
CN=ca.xx.xx.xx (sha1RSA 2048 bits) expires 12/21/2060 08:42:15 14763 days.

I can PM someone the ini file. Thank you!

[scottwilkerson]

The Exchange is a collection of community plugins that we really cannot support as we didn't create most of them. We do often assist if we have the equipment to run tests on this side, but in this case we do not.

I would first get the plugin working just from powershell, and then make sure the the extension matches extensions you have listed in the ini, and then add the command.

If you need further assistance and to send us the ini, I would suggest opening a ticket
https://support.nagios.com/tickets/

[rferebee]

I just want to say that thanks to Sean Sax, we were able to get this working.

Using this Nagios Exchange post: https://exchange.nagios.org/directory/P ... os/details

Step 1: Copy the PS scripts to the following location on the host Certificate Authority - C:\Program Files\NSClient++\scripts (I created a sub-folder named 'CertificateHealth' to house all four scripts)

Step 2: Modify the host nsclient.ini configuration file with the following entry (restart Windows service nsclient++)

Code: Select all

[/settings/external scripts/scripts]
; PSCheckCertificate
PSCheckCertificate=cmd /c echo Import-Module 'C:\Program Files\NSClient++\scripts\CertificateHealth\CertificateHealth.psm1' ; Get-UnhealthyCertificateNagios ; exit($lastexitcode) | powershell.exe -command -

Step 3: Create a new command in XI (I named mine 'check_certificate_authority')

Code: Select all

$USER1$/check_nrpe -H $HOSTADDRESS$ -u -t 90 -c $ARG1$

Step 4: The argument for your Service Check should be: PSCheckCertificate

Step 5: There is a section for parameter variables in the PS script named 'Get-UnhealthyCertificateNagios.ps1' where I had to make two changes to ensure we were checking the correct group of certificates

Code: Select all

Param
    (
        # Name of the server, defaults to local
        [Parameter(Mandatory=$false,
                    ValueFromPipelineByPropertyName=$true,
                    Position=0)]
        [string]$ComputerName=$env:COMPUTERNAME,
        [int]$returnStateOK = 0,
        [int]$returnStateWarning = 1,
        [int]$returnStateCritical = 2,
        [int]$returnStateUnknown = 3,
        [int]$WarningDays = 60,
        [int]$CriticalDays = 30,
        [string[]]$Path = 'Cert:\CurrentUser',
        [string[]]$ExcludedThumbprint,#=@('DFE816240B40151BBCD7529D4C55627A8CE1671C')
        [string[]]$WarningAlgorithm=('sha1RSA'),
        [string[]]$CriticalAlgorithm=('md5RSA'),
        [int]$CriticalKeySize=1024,
        [int]$WarningKeySize=2048,
        [switch]$Recurse=$true
    )

Adjusting the $Path to CurrentUser will ensure you're not monitoring the Local cert store and setting $Recurse to true allows the check to see every cert in the tree.

This allowed us to monitor over 200 certificates simultaneously with a single XI service check.

[scottwilkerson]

Thanks for sharing the solution you came up with!

Locking thread