Nagios Support Forum

Hello

is there a way/script to monitor not the end web certificate but the CA root/intermediate expiration? Either its monitoring via website or localy the certificate chain file.

Thank you!

That's an interesting scenario, I wasn't able to find a plugin that currently supports doing this. They all check the main cert and stop after that.

You should be able to write a plugin to do it but one doesn't currently exist:
What format is your chain file in? Does that include your root cert?

A lot of times when you query a host it won't show the offline root cert (if it's not setup to) so that will also impact the ability for the check to determine when your root expires.

What format is your chain file in? Does that include your root cert?
Its pem format and its a Official CA chain. Problem is CA root and intermediate certificates tend to end in 20 years and after they do, legacy devices and services tend to brake which dont have updated roots in them.
For example:
https://www.sslshopper.com/ssl-checker. ... bc.com:443
you can see the chain that has been set up. Its not a local CA that is offline. Not sure whats the easiest way to monitor the intermediate/root. As you say, new plugin needs to be written.

I totally understand the issue, something just doesn't exist for it today in our current feature set.

I can submit a feature request on your behalf if you'd like? Please keep in mind that the decision to implement the enhancement is at the discretion of our development team.

If you're able to write your own, you can see here for more info:

https://assets.nagios.com/downloads/nag ... inapi.html
https://nagios-plugins.org/doc/guidelines.html

Thank you