Type
  • Best practice
Description
  • This article explains how to configure Monitoring Studio and BMC Performance Manager Express Monitoring Studio to be automatically informed when an SSL Certificate is about to reach its expiration date.
Additional Keywords
  • Shell, SSL, SSL Certificate

Related Topic

Knowledge Base

Monitoring Studio: Monitoring SSL Certificate Expiration Date

KB1032 - Jun 08, 2010

Objective

To be automatically notified when an SSL Certificate is about to reach its expiration date.

Solution

Monitor SSL Certificate Expiration dates with Monitoring Studio.

On Linux systems

A pre-existing shell script exists and can be downloaded from here:

Details about how to use this script can be found at the same address.

By configuring Monitoring Studio/Monitoring Studio Express to run the following command:

$ ssl-cert-check -f ssldomains
Host                                            Status       Expires      Days Left
----------------------------------------------- ------------ ------------ ----------
www.prefetch.com:443                            Valid        May 23 2006  218

A Numerical Value Extraction can be used to collect the "Days Left" value, upon which thresholds can be set.

On Windows systems

A simple batch file has been written by Sentry Software (below) that can perform the same task.

This batch file will return the number of days until expiry.  

Note: the value can include a fraction of a day, due the way the calculation is done and how leap years are taken into configuration.
The batch file might require customization based on the date format returned by the windows systems.  English, French, German and Swedish formats are included by default.

Batch file installation instructions for Monitoring Studio KM for PATROL

  1. Install openssl on the Server with the PATROL Agent and add c:\openssl\bin to the main system path. 
  2. A copy of nawk.exe will also need to be in the main system path.
  3. Create a new Command Line Analysis
    Command to execute – ssl-cert-check ‹hostname› ‹port›
    i.e. – ssl-cert-check redhat.com 443
  4. Create a numerical value extraction. 
    “In the following Column Number”
    “1”
    Format – “100000.00”
  5. Then set the thresholds you require.

Batch file installation instructions for BMC Performance Manager Express Monitoring Studio

  1. Install openssl on a Server. Add c:\openssl\bin to the main system path.  A copy of nawk.exe will also need to be in the main system path.
  2. Test the batch file by running: ssl-cert-check redhat.com 443
  3. Add an element in Portal of type Windows.
  4. Add Studio - Remote Command Execution and Analysis (Windows)
    Enter credentials
    Add a Remote Command Execution and Analysis (Windows) : Input properties
    Command to execute – ssl-cert-check ‹hostname› ‹port›
    Create a numerical value extraction. 
    “In the following Column Number”
    “1”
    Format – “100000.00”
  5. Then set the thresholds you require.

Batch File (ssl-cert-check.bat) contents

@REM  ----------START OF BATCH FILE---------------
@echo off
:: %1 = ServerAddress
:: %2 = Port

:: Get the certificate
openssl s_client -connect %1:%2 2›%TMP%\SW_%1.err 1›%TMP%\SW_%1.crt

:: Echo Today's date
echo. | date › %TMP%\SW_%1.date

:: Echo Expiry date
openssl x509 -in %TMP%\SW_%1.crt -enddate -noout ›› %TMP%\SW_%1.date

:: Process this through an awk script
:: Note:  The Awk script might need to be modified if the OS language is not English
:: Execute a "date" from the command prompt to get the format
:: Enter the new date: (dd-mm-yy) = /.dd.mm.yy./

echo  $NF ~ /[0-9]+[-.\/ ][0-9]+[-.\/ ][0-9]+/ {today=$NF;getline;format=$NF;                    › %TMP%\SW_%1.awk

:: ENGLISH (DD MM YY)
echo       if (format~/.yy.mm.dd./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.mm.dd.yy./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.dd.mm.yy./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo.                                                                                           ›› %TMP%\SW_%1.awk
:: FRENCH (JJ MM AA)
echo       if (format~/.aa.mm.jj./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.mm.jj.aa./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.jj.mm.aa./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo.                                                                                                ›› %TMP%\SW_%1.awk
:: GERMAN (TT MM JJ)
echo       if (format~/.jj.mm.tt./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.mm.tt.jj./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.tt.mm.jj./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo.                                                                                           ›› %TMP%\SW_%1.awk  
:: SWEDISH (TT MM JJ)
echo       if (format~/.år.må.da./) {split(today,t,"[-.\/ ]");TodayD=t[3];TodayM=t[2];TodayY=t[1];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.må.da.år./) {split(today,t,"[-.\/ ]");TodayD=t[2];TodayM=t[1];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo       if (format~/.da.må.år./) {split(today,t,"[-.\/ ]");TodayD=t[1];TodayM=t[2];TodayY=t[3];}  ›› %TMP%\SW_%1.awk
echo.                                                                                           ›› %TMP%\SW_%1.awk
echo  if (TodayY ^‹ 100) {TodayY="20"TodayY};       ›› %TMP%\SW_%1.awk
echo  TodayJDY = TodayY + 4800 - ((14-TodayM)/12)   ›› %TMP%\SW_%1.awk
echo  TodayJDM = TodayM + 12 * ((14-TodayM)/12) - 3   ›› %TMP%\SW_%1.awk
echo  TodayJD = TodayD + (153*TodayJDM+2)/5 + TodayJDY*365 + TodayJDY/4 - 32083                 ›› %TMP%\SW_%1.awk
echo.                                                                                                ›› %TMP%\SW_%1.awk 
echo  getline;                                                                                  ›› %TMP%\SW_%1.awk
echo.                                                                                                ›› %TMP%\SW_%1.awk
echo  ExpireMWord=$1; gsub (/notAfter=/,"",ExpireMonthWord);    ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Jan/) {ExpireM=1} ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Feb/) {ExpireM=2} ›› %TMP%\SW_%1.awk   
echo  if (ExpireMWord ~ /Mar/) {ExpireM=3} ›› %TMP%\SW_%1.awk
echo       if (ExpireMWord ~ /Apr/) {ExpireM=4}  ›› %TMP%\SW_%1.awk
echo       if (ExpireMWord ~ /May/) {ExpireM=5}  ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Jun/) {ExpireM=6} ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Jul/) {ExpireM=7} ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Aug/) {ExpireM=8}  ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Sep/) {ExpireM=9}   ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Oct/) {ExpireM=10}  ›› %TMP%\SW_%1.awk
echo  if (ExpireMWord ~ /Nov/) {ExpireM=11} ›› %TMP%\SW_%1.awk
echo       if (ExpireMWord ~ /Dec/) {ExpireM=12}  ›› %TMP%\SW_%1.awk
echo  ExpireD=$2   ›› %TMP%\SW_%1.awk
echo  ExpireY=$4   ›› %TMP%\SW_%1.awk 
echo.                                                                                                ›› %TMP%\SW_%1.awk
echo  ExpireJDY = ExpireY + 4800 - ((14-ExpireM)/12) ›› %TMP%\SW_%1.awk
echo  ExpireJDM = ExpireM + 12 * ((14-ExpireM)/12) - 3  ›› %TMP%\SW_%1.awk
echo  ExpireJD = ExpireD + (153*ExpireJDM+2)/5 + ExpireJDY*365 + ExpireJDY/4 - 32083     ›› %TMP%\SW_%1.awk
echo  if ((TodayJD ^› 2451000) ^&^& (ExpireJD ^› 2451000)) {print ExpireJD-TodayJD}   ›› %TMP%\SW_%1.awk
echo                                        }                                                   ›› %TMP%\SW_%1.awk
nawk -f %TMP%\SW_%1.awk %TMP%\SW_%1.date

@REM  ----------END OF BATCH FILE---------------